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Abstract 

We present a new model for deterministic-by-construction parallel programming that generalizes existing single- 
assignment models to allow multiple assignments that are monotonically increasing with respect to a user-specified 
partial order. Our model achieves determinism by using a novel shared data structure with an API that allows only 
monotonic writes and "threshold" reads that block until a lower bound is reached. We give a proof of determinism 
for our model, discuss ways to express existing deterministic parallel models using it, and describe how to extend it 
to support a limited form of nondeterminism that admits failures but never wrong answers. 

1 Introduction 

Programs written using a deterministic -by-construction model of parallel computation always produce the same ob- 
servable results, offering programmers the promise of freedom from subtle, hard-to-reproduce nondeterministic bugs. 
A common theme that emerges in the study of diverse deterministic -by-construction parallel systems, from venerable 
models like Kahn process networks (KPNs) lfl5ll to modern ones like Intel's Concurrent Collections (CnC) system 
Q, is that the determinism of the model hinges on some notion of monotonicity . In KPNs, for instance, processes 
communicate over FIFO channels with ever-increasing channel histories, while in CnC, a shared data store of single- 
assignment variables grows monotonically. 

Because state modifications that only add information and never destroy it can be structured to commute with one 
another (and thereby avoid insidious race conditions), it stands to reason that monotonic data structures play a key 
role in the design of deterministic -by-construction parallel programming models. Yet there is little in the way of a 
general theory of monotonic data structures as a basis for deterministic, shared-state concurrency. As a result, models 
like CnC and KPNs emerge independently, without recognition of their common basis. In this paper we take a step 
towards a more general theory. 

We begin with an example. Consider the program in Figure [TJ a), written in a hypothetical programming language 
with locations, standard get and put operations on locations, and a let par form for parallel evaluation of multiple 
subexpressions. Depending on whether get I or put I 4 executes first, the value of v might be either 3 or 4. Hence 
Figure[TJa) is nondeterministic: multiple runs of the program can produce different observable results based on choices 
made by the scheduler. 

A straightforward modification we can make to our hypothetical language to enforce determinism is to require 
that variables may be written to at most once, resulting in a single-assignment language [24|. Such single-assignment 
variables are sometimes known as IVar^\ and are a well-established mechanism for enforcing determinism at the 
language and library level [8, 26, 7, 18 1 and even at the hardware level 0. In a language with IVars, the second call 
to put in Figure [TJa) would raise an error, and the resulting program, since it would always produce the error, would 
be deterministic. 

IVars enforce determinism by restricting the writes that can occur to a variable. However, the single-write restric- 
tion can be weakened as long as reads are also restricted. In Figure [TJb), we modify get to take an extra argument, 

'Revises the previous version dated July 2012. 

1 IVars are so named because they are a special case of 1-structures |3 | — namely, those with only one cell. 
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(a) (b) 

let = put Z 3 in let _ = put I 3 in 

let par v = get I let par v = get I 4 

_ = put I 4 _ = put I 4 

in i) in v 



(c) 



let = put Z 3 in 
let par v = get Z 4 
_ = put Z 4 
_ = put Z 5 

in i! 



Figure 1: Three example programs: (a) nondeterministic, (b) deterministic with a threshold read, and (c) deterministic 
with a threshold read that returns the specified threshold value. 



representing the minimum value that we are interested in reading from v. If the value of / has not yet reached 4 at the 
time that get I 4 is ready to run, the operation blocks until it does, giving put I 4 an opportunity to run first. Assuming 
(as we do) that the scheduler will eventually decide to run both branches of the let par expression, Figure [TJb) is de- 
terministic and will always evaluate to 4. Moreover, if we had written get I 5 instead of get I 4, the program would be 
guaranteed to block forever. 

Our tweak fixes the specific program in Figure [TJb). But what if multiple subcomputations are writing to I in 
parallel, all with values greater than or equal to four? Competing puts land us back where we started — Figure [JJc) 
might evaluate to either 4 or 5 without further restrictions. Therefore we propose a design in which, if a minimum or 
"threshold" value specified by a get operation has been reached, then the get operation returns that minimum value. 
This get restriction is not as draconian as it may seem; later we will see how the total order in these examples can be 
relaxed to a partial order, and potentially infinite sets of threshold values may be specified. Together, monotonically 
increasing puts and minimum-value gets yield a deterministic-by-construction model, guaranteeing that every program 
written using the model will behave deterministically. 

Our proposed model generalizes IVars to LVars, thus named because their states can be represented as elements 
of a user-specified partially ordered set that forms a bounded join-semilattice. This user-specified partially ordered 
set, which we call a domain, determines the semantics of the put and get operations that comprise the interface to 
LVars. In Figure [JJc), for instance, the domain that determines the semantics of put and get might be the natural 
numbers ordered by <. The LVar model is general enough to subsume the IVar model — as well as other deterministic 
parallel models — because it is parameterized by the choice of domain. For example, a domain of channel histories 
with a prefix ordering would allow LVars to become FIFO channels that implement a Kahn process network. Different 
instantiations of the domain result in a family of parallel languages, all of which are deterministic. This family of 
languages is exactly the class of languages that deal with asynchronous, data-driven parallelism [19], which is critical 
for irregular parallel applications such as graph algorithms. 

An example application that uses rich, shared data structures and that processes irregular data is Hindley-Milner 
type inference. In a parallelized type-inference algorithm, each type variable becomes an LVar, and upward movement 
in the lattice represents type unification. Another example is the problem of removing duplicates from a list in parallel. 
One solution is for multiple computations to insert elements into a single, shared set data structure, with a domain 
ordered by subset inclusion. 

Monotonically increasing variables naturally lend themselves to a variety of parallel operations on data structures 
in a way that single-assignment variables do not. For instance, in the duplicate-removal example, the shared set might 
be represented by a trie. Consider then inserting two keys, say, om and mi, into the trie from different points in the 
parallel computation. Supposing that o represents "left" and l "right", there would seem to be no conflict — the two 
operations are filling in disjoint parts of the data structure. However, if the trie were implemented with IVars, each 
operation would need to fill in a chain of IVars, populating the tree from the root to the leaf in question. To retain 
determinism, IVars do not allow testing for emptiness, so there would be no way for one put operation to know if 
another had already populated the root of the trie. Moreover, if both operations attempted to create a new node and 
then insert it into the IVar at the root of the trie, then we would cause a violation of the single-assignment rule. This is 
a limitation of IVars that LVars solve. 
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Contributions In this paper, we introduce LVars as the building block of a model of deterministic parallelism (Sec- 
tion |2| and use them to define Acvar, a parallel calculus with shared state based on the call-by- value A-calculus (Sec- 
tion [3JI. As our main technical result, we present a proof of determinism for Alvbi (Section [4). A critical aspect of 
the proof is a frame-rule-like property, expressed by the Independence lemma (Section [4.3| l, that would not hold in a 
typical language with shared mutable state, but holds in our setting because of the semantics of LVars and their put/get 
interface. We present evidence that ALVar is sufficiently expressive to model two paradigms of deterministic parallel 
computation: shared-state, single-assignment models, exemplified by the Intel Concurrent Collections framework Q 
and the monad-par Haskell library IT811 . and data-flow networks, exemplified by Kahn process networks [ 15] (Sec- 
tion [5j. Finally, we describe an extension to the basic Alvsi model: destructive observations, enabling a limited form 
of nondeterminism that admits failures but not wrong answers (Section|6|. 




Figure 2: Example domains: (a) IVar containing a natural number; (b) pair of natural-number-valued IVars; (c) < 
ordering. Subfigure (b) is annotated with example threshold sets that would correspond to a blocking read of the first 
or second element of the pair (see Sections 2.3 and 3.2 1. Any state transition crossing the "tripwire" for getSnd causes 
it to unblock and return a result. 



2 Domains, Stores, and Determinism 

We take as the starting point for our work a call-by-value A-calculus extended with a store and with communication 
primitives put and get that operate on data in the store. We call this language Acvar- The class of programs that we 
are interested in modeling with A LVa i are those with explicit effectful operations on shared data structures, in which 
subcomputations may communicate with each other via the put and get operations. 

In this setting of shared mutable state, the trick that ALVai- employs to maintain determinism is that stores contain 
LVars, which are a generalization of IVars 0. Whereas IVars are single-assignment variables — either empty or filled 
with an immutable value — an LVar may have an arbitrary number of states forming a domain (or state space) D, which 
is partially ordered by a relation C. An LVar can take on any sequence of states from the domain D, so long as that 
sequence respects the partial order — that is, updates to the LVar (made via the put operation) are inflationary with 
respect to C. Moreover, the interface presented by the get operation allows only limited observations of the LVar's 
state. In this section, we discuss how domains and stores work in Ai^ar and explain how the semantics of put and get 
together enforce determinism in Ai^ar programs. 

2.1 Domains 

The definition of A^ai is parameterized by the choice of a domain D: to write concrete A LVar programs, one must 
specify the domain that one is interested in working with. Therefore A LVar is actually a family of languages, rather 
than a single language. Virtually any data structure to which information is added gradually can be represented as a 
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ALVar domain, including pairs, arrays, trees, maps, and infinite streams. Figure[2]gives three examples of domains for 
common data structures. 

Formally, a domain D is a bounded join-semilattice^\ln other words: 

• D comes equipped with a partial order C; 

• every pair of elements in D has a least upper bound (lub) U; 

• D has a least element _L and a greatest element T. 

The simplest example of a useful domain is one that represents the state space of a single-assignment variable (an 
rVar). A natural-number-valued IVar, for instance, would correspond to the domain in Figure[2ja), that is, 

D = ({T,±}UN,E), 

where the partial order C is defined by setting ICrfCT and d C d for all d E D. This is a lattice of height three 
and infinite width, where the naturals are arranged horizontally. After the initial write of some n 6 N, any further 
conflicting writes would push the state of the IVar to T (an error). 

The motivation for requiring domains with the given structure is as follows: 

• the least element, _L, is needed to initialize store locations; 

• the greatest element, T, is needed to denote "conflicting" updates to store locations; 

• the requirement that every two elements must have a lub means that it is always possible to fork a computation 
into subcomputations that can independently update the store and then join the results by taking the lub of 
updates to shared locations. 

2.2 Stores 

During the evaluation of a Alvbi program, a store S keeps track of the states of LVars. Each LVar is represented by a 
binding from a location I, drawn from a set Loc, to its state, which is some element d E D. Although each LVar in a 
program has its own state, the states of all the LVars are drawn from the same domain D. We can do this with no loss 
of generality because lattices corresponding to different types of LVars could always be unioned into a single lattice 
(with shared T and _L elements). Alternatively, in a typed formulation of A LVa i, the type of an LVar might determine 
the domain of its states. 

Definition 1. A store is either a finite partial mapping S : Loc ^5 [D — {T}), or the distinguished element Tg. 

We use the notation S[l i— >• d] to denote extending S with a binding from I to d. If I E dom(S), then S[l i— ► d] denotes 
an update to the existing binding for I, rather than an extension. We can also denote a store by explicitly writing out 
all its bindings, using the notation [lx i— ► di, 1% i— * d%, ■ . .]. The state space of stores forms a bounded join-semilattice, 
just as D does. The least element _Lg is the empty store, and T5 is the greatest element. It is straightforward to lift the 
C and U operations defined on elements of D to the level of stores: 

Definition 2. A store S is less than or equal to a store S' (written S C s S') iff: 

• S' = T S , or 

• dom(S) C dom(S') and for all I E dom(S), S(l) C S'(l). 

Definition 3. The least upper bound (lub) of two stores S\ and S2 (written S\ U5 S2) is defined as follows: 

• Si U s S 2 = T s iff there exists some / E dom(Si) n rfom(S , 2 ) such that Si(l) U S 2 (l) = T. 

2 Although we will sometimes abbreviate "bounded join-semilattice" to "lattice" for brevity's sake in the discussion that follows, A^ar domains 
do not, in general, satisfy the properties of a lattice. 
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• Otherwise, Si Us S 2 is the store S such that: 

- dom(S) = dom(Si) U dom(S 2 ), and 

- For all I e dom(S): 

( S 1 (l)US 2 (l) if I E dom(5i)n dom(S 2 ) 
- < 51(0 if £ dom(S 2 ) 

{ S 2 (l) if I i dom(Si) 

By Definition [3] if d\L\ d 2 = T, then [I ^ d{\Us [I ^ d 2 ] = T5. Notice that a store like [I i— > T] can never arise 
during the execution of a A LVar program, because (as we will see in Section [3} an attempted write that would take the 
state of I to T would raise an error before the write can occur. 

2.3 Communication Primitives 

The new, put, and get operations create, write to, and read from LVars, respectively. The interface is similar to that 
presented by mutable references: 

• new extends the store with a binding for a new LVar whose initial state is _L, and returns the location I of that 
LVar (i.e., a pointer to the LVar). 

• put takes a pointer to an LVar and a singleton set containing a new state; it updates the store, merging the current 
state of the LVar with the new state by taking their lub, and pushes the state of the LVar upward in the lattice. 
Any update that would take the state of an LVar to T results in an error. 

• get performs a blocking "threshold" read that allows limited observations of the state of an LVar. It takes a 
pointer to an LVar and a threshold set Q, which is a non-empty subset of D that is pairwise incompatible, 
meaning that the lub of any two distinct elements in Q is T. If the LVar's state d in the lattice is at or above 
some d' 6 Q, the get operation unblocks and returns the singleton set {d 1 }. Note that d' is a unique element of 
Q, for if there is another d" ^ d! in the threshold set such that d" C d, it would follow that d! U d" = d ^ T, 
which contradicts the requirement that Q be pairwise incompatible. 

The intuition behind get is that it specifies a subset of the lattice that is "horizontal": no two elements in the subset can 
be above or below one another. Intuitively, each element in the threshold set is an "alarm" that detects the activation 
of itself or any state above it. One way of visualizing the threshold set for a get operation is as a subset of edges in the 
lattice that, if crossed, set off the corresponding alarm. Together these edges form a "tripwire". This visualization is 
pictured in Figure[2jb). The threshold set {(_L, 0), (_L, 1), ...} (or a subset thereof) would pass the incompatibility test, 
as would the threshold set {(0, _L), (1, _L), ...} (or a subset thereof), but a combination of the two would not pass. 

Both get and put take and return sets. The fact that put takes a singleton set and get returns a singleton set (rather 
than a value d) may seem awkward; it is merely a way to keep the grammar for values simple, and avoid including set 
primitives in the language (e.g., for converting d to {d}). 

2.4 Monotonic Store Growth and Determinism 

In IVar-based languages, a store can only change in one of two ways: a new binding is added at _L, or a previously 
_L binding is permanently updated to a meaningful value. It is therefore straightforward in such languages to define 
an ordering on stores and establish determinism based on the fact that stores grow monotonically with respect to the 
ordering. For instance, Featherweight CnC Q, a lightweight, single-assignment imperative language that models the 
CnC system, defines ordering on stores as follows PI 

Definition 4 (store ordering, Featherweight CnC). A store S is less than or equal to a store S' (written S C s S') iff 

dom(S) C dom(S') and for all I e dom(S), S(l) = S'(l). 

3 In Featherweight CnC, the store interface is simpler still: no store location is ever bound to _L. Instead, if I ^ dom(S) then I is defined to be 
at _L, and a location springs into existence at the time that its permanent value is written. 
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Given a domain D with elements d G D: 



configurations 


(T 


::= (S; e) error 


expressions 


e 


::= x | v | ee | new put e e get e e convert e 


values 


V 


::= I | Q | Xx.e 


threshold set literals 


Q 


::= {di,d 2 ,...,d n } | {d | pred(d)} 






(where pred(d) is computable) 


stores 


s 


::= T s | [h i-» di,/ 2 i-* d 2 ,.. •] 






(where dj 7^ T) 



Figure 3: Syntax for Alvm- 

Our Definition |2] is reminiscent of Definition |4j but Definition[4]requires that S(l) and S'(l) be equal, instead of our 
weaker requirement that S(l) C -S"(J) according to the user-provided partial order C. In Ajjvar> stores may grow by 
updating existing bindings via repeated puts, so Definition |4] would be too strong; for instance, if 1 C rfi C e?2 
for distinct di, d 2 S D, the relationship [I 1— > di] Cs l— > d 2 ] holds under Definition |5j but would not hold under 
Definition [4] That is, in Alvju- an LVar could take on the state di followed by d2, which would not be possible in 
Featherweight CnC. We establish in Section[4]that Alvot remains deterministic despite the relatively weak C s relation 
given in Definition [2] The keys to maintaining determinism are the blocking semantics of the get operation and the 
fact that it allows only limited observations of the state of an LVar. 



3 ALVai-: Syntax and Semantics 

The syntax and operational semantics of Auvar appear in Figures [3] and [4] respectively]^] As we've noted, both the 
syntax and semantics are parameterized by the domain D. The operational semantics is defined on configurations 
(S; e) comprising a store and an expression. The error configuration, written error, is a unique element added to the 
set of configurations, but we consider (T5; e) to be equal to error, for all expressions e. The metavariable a ranges 
over configurations. 

Figure [4] shows two disjoint sets of reduction rules: those that step to configurations other than error, and those 
that step to error. Most of the latter are merely propagating existing errors along. A new error can only arise by way 
of E-ParAppErr, which represents the joining of two conflicting subcomputations, or by way of the E-PutValErr 
rule, which applies when a put to a location would take its state to T. 

The reduction rules E-New, E-PutVal, and E-GetVal in Figure [4] respectively express the semantics of the 
new, put, and get operations described in Section [23] The incompatibility property of the threshold set argument 
to get is enforced in the E-GetVal rule by the incomp(Q) premise, which requires that the least upper bound of 
any two distinct elements in Q must be T^The E-Put-I/E-Put-2 and E-Get-I/E-Get-2 rules allow for reduction 
of subexpressions inside put and get expressions until their arguments have been evaluated, at which time the E- 
PutVal (or E-PutValErr) and E-GetVal rules respectively apply. Arguments to put and get are evaluated in 
arbitrary order, although not simultaneously]^] 



3.1 Fork- Join Parallelism 

ALVar has an explicitly parallel reduction semantics: the E-ParApp rule in Figure fallows simultaneous reduction of 
the operator and operand in an application expression, so that (eliding stores) the application e\ e 2 may step to e[ e' 2 - 
In the case where one of the subexpressions is already a value or is otherwise unable to step (for instance, if it is a 

4 In addition to the version of Xiy m presented here, we have developed a runnable model of a variant of Xiy m using the PLT Redex semantics 
engineering toolkit [11]. Our Redex model and test suite are available at https : //github . com/ lkuper/lambdaLVar- redex! 

'Although incomp(Q) is given as a premise of the E-GetVal reduction rule (indicating that it is checked at runtime), in a real implementation 
the incompatibility condition on threshold sets might be checked statically, eliminating the need for the runtime check. In fact, a real implementation 
could forego any runtime representation of threshold sets. 

s It would, however, be straightforward to add to the semantics E-PARPUT and E-ParGet rules analogous to E-PARAPP, should simultaneous 
evaluation of put and get arguments be desired. 
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Given a domain D with elements d _ A and a value-conversion function J: 



incomp(Q) = V a, b £ Q- (a ^ 6 =>■ aUb-T) 



(S; e> <S'; e'> 



(where (S'; e') ^ error) 



E-Refl 

(S; e) ^ (S; e) 



E-ParApp 

(5; ei) (Si; e[) 



(S; e 2 ) ^- (S 2 ; e 



) (Sjj e£j = rename((S i; e^), S 2 , 5) S[ Ug S 2 # T s 



(5; ei e 2 ) (S[ U s S 2 ; e^ e 2 ) 



E-PUT- 1 

(5; ei) (Si; ejj 

(S; putei e 2 > 1 — ► (Si; put e[ e 2 > 



E-PUT-2 

(Sj eg) ^ (Saj 4) 
(S; putei e 2 ) 1 ► (S 2 ; put ei e 2 ) 



E-PutVal 

S(l) = d 2 d t e D di U d 2 / T 

(S; put; {di}) ^ (S[i »4U d 2 ]; {}) 



E-GET-1 

(S; ei) > (Si; ejj 
(S: getei e 2 ) 1 — ► (Si; get ei e 2 ) 

E-GetVal 

S(l) = d 2 mcomp(Q) Q C D di £ Q di C d 2 

_________ 

E-Beta 

(S; (Arr.e) t>) < ► (S; efr ~ u]) 



E-Get-2 

(S; e 2 ) ^ (S 2 ; e 2 ) 
(S; getei e 2 ) 1 — » (S 2 ; get ei e 2 ) 



E-CONVERT 

(S; e) (S' ; e') 



E-ConvertVal 



(S; convert e) 
E-NEW 

(S; new) < — > (S[l ^ IjTO 



(S'; converte') (S; convert -u) < > (S; <5(t>)) 

(/ £ dom(S)) 



(S; e) 



E-ReflErr 



E-ParAppErr 

(S; ei) < > (Si; e[) 



(S; e 2 ) (S 2 ; e 2 ) 



"((■Si 



,S 2 ,S 



S[ U S S 2 = T S 



E-AppErr-1 

(S; ei) < — ► error 

(S; ei e 2 ) 1 — > error 

E-PutValErr 

S(l) = d 2 di e D 
(S; put/{di}) 



E-AppErr-2 

(S; e 2 ) < — ► error 

(S; ei e 2 ) ' — ► error 



(S; ei e 2 ) < — ► error 

E-PutErr-1 

(S; ei) 1 — ► error 



(S; put ei e 2 



E-PutErr-2 

(S; e 2 ) < — ► error 

(S; put ei e 2 ) < — ► err 



di U d 2 = T 
error 



E-GetErr-1 

(S; ei) 1 — » error 

(S; getei e 2 ) < — > error 



E-GetErr-2 

(S; e 2 ) 1 — ► error 

(S; get ei e 2 ) < — ► error 



E-ConvertErr 

(S; e) < » error 

(S; converte) < — » error 



Figure 4: An operational semantics for ALVar- 
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(a) let par (b) 




Figure 5: A series -parallel graph induced by basic parallel A-calculus evaluation (a), vs. a non-series-parallel graph 
created by put/get communication (b). 

blocked get), the reflexive E-REFL rule comes in handy: it allows the E-ParApp rule to apply nevertheless. When the 
configuration (S; e\ e 2 ) takes a step, e% and e 2 step as separate subcomputations, each beginning with its own copy 
of the store S. Each subcomputation can update S independently, and the resulting two stores are combined by taking 
their least upper bound when the subcomputations rejoinj^] 

Although the semantics admits such parallel reductions, Alvm is still call-by-value in the sense that arguments 
to functions must be fully evaluated before function application (/3-reduction, modeled by the E-Beta rule) can 
occur. We can exploit this property to define a syntactic sugar let par for parallel composition, which computes two 
subexpressions e\ and e 2 in parallel before computing e^. 

let par x = ei 

V = e 2 = ((Xx.(Xy.e 3 ))ei)e 2 

in e 3 

Although ei and e 2 are evaluated in parallel, 63 cannot be evaluated until both e\ and e 2 are evaluated, because the 
call-by-value semantics does not allow /3-reduction until the operand is fully evaluated, and because it further disallows 
reduction under a A-term (sometimes called "full /3-reduction")- In the terminology of parallel programming, the above 
expression executes both a fork and a join. Indeed, it is common for fork and join to be combined in a single language 
construct, for example, in languages with parallel tuple expressions such as Manticore fl2l . 

Since let par expresses fork-join parallelism, the evaluation of a program comprising nested let par expressions 
would induce a runtime dependence graph like that pictured in Figure[5Ja). In the terminology of parallel algorithms, 
the Alvsi language (minus put and get) can support any series-parallel dependence graph. Adding communication 
through put and get introduces "lateral" edges between branches of a parallel computation like that shown in Fig- 
ure [5Jl)). This adds the ability to construct arbitrary non-series-parallel dependency graphs, just as with first-class 
futures 11231 . 

Conversely, to sequentially compose e\ before e 2 before e^, we could write the expression (Xx. ((Ay. e^j e 2 J) e\. 
Sequential composition is necessary for ordering side-effecting put and get operations on the store. For that reason, 
full /3-reduction would be a poor choice, but parallel call-by- value gives ALVar both sequential and parallel composition, 
without introducing additional language forms. 

7 A subtle point that E-PARAPP and E-ParAppErr must address is location renaming: locations created while e\ steps must be renamed to 
avoid name conflicts with locations created while e^ steps. We discuss the rename metafunction as part of a more wide-ranging discussion in 
Section|4~T| 
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3.2 Programming with put and get 

For our first example of a Alvbt program, we choose our domain to be pairs of natural-number- valued IVars, represented 
by the lattice shown in Figure[2jb). With D instantiated thusly, we can write the following program)^] 

let p = new in 
let_ = putp{(3,4)}in 

(Example 1) 

let vi = get p {(_L, n) \ n e N} in 
. . . vi . . . 

This program creates a new LVar p and stores the pair (3, 4) in it. (3, 4) then becomes the state of p. The premises of 
the E-GetVal reduction rule hold: S(p) — (3, 4); the threshold set Q = {(_L, n) \ n S N} is a pairwise incompatible 
subset of D; and there exists an element d\ E Q such that d\ C (3, 4) in the lattice (D, C). In particular, the pair 
(_L, 4) is a member of Q, and (_L, 4) C (3, 4) in (D, C). Therefore, get p {(_L, n) \ n € N} returns the singleton set 
{(_L, 4)}, which is a first-class value in A LVa r that can, for example, subsequently be passed to put. 

Since threshold sets can be cumbersome to read, we can define some convenient shorthands getFst and getSnd for 
working with the domain of pairs: 

getFst p = get p {(n, _L) | n e N} 
getSnd p = get p {(_L, n) \ n e N} 

Querying incomplete data structures It is worth noting that getSnd p returns a value even if the first entry of p is 
not filled in. For example, if the put in the second line of ( |Example"T i had been put p {(_L, 4)}, the get expression 



would still return {(_L, 4)}. It is therefore possible to safely query an incomplete data structure — say, an object that is 
in the process of being initialized by a constructor. However, notice that we cannot define a getFstOrSnd function that 
returns if either entry of a pair is filled in. Doing so would amount to passing all of the boxed elements of the lattice 
in Figure [2jb) to get as a single threshold set, which would fail the incompatibility criterion. 

Blocking reads On the other hand, consider the following: 

let p = new in 

let = putp{(_L,4)} in 
let par vi = getFst p (Example 2) 

_ =putp{(3,4)} 
in . . . vi . . . 

Here getFst can attempt to read from the first entry of p before it has been written to. However, thanks to let par, the 
getFst operation is being evaluated in parallel with a put operation that will give it a value to read, so getFst simply 
blocks until put p {(3, 4)} has been evaluated, at which point the evaluation of getFst p can proceed. 

In the operational semantics, this blocking behavior corresponds to the last premise of the E-GetVal rule not 



being satisfied. In (Example 2 1, although the threshold set {(n,_L) | n S N} is incompatible, the E-GetVal rule 
cannot apply because there is no state in the threshold set that is lower than the state of p in the lattice — that is, we are 
trying to get something that isn't yet there! It is only after p's state is updated that the premise is satisfied and the rule 
applies. 

3.3 Converting from Threshold Sets to A-terms and Back 

There are two worlds that A^ar values may inhabit: the world of threshold sets, and the world of A-terms. But if these 
worlds are disjoint — if threshold set values are opaque atoms — certain programs are impossible to write. For example, 



8 For clarity, we will write let x = e\ in ei as a shorthand for ((Xx. e-i) ei). 
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Frame rale (O'Hearn et al, 2001): 

M c M 



{p * r} c {q * r} 



(where no free variable in r is modified by c) 



Lemma[3](Independence), simplified: 

(S; e> ^ (S'; e') 



(5 U S S"; e)^-> (S' U S S"; e') 



OS" non-conflicting with (5"; e) < — > (S'\ e'» 



Figure 6: Comparison of the frame rule with a simplified version of the Independence lemma. The * connective in the 
frame rule requires that its arguments be disjoint. 

implementing single-assignment arrays in A^ar requires that arbitrary array indices can be computed and converted to 
threshold sets. 

Thus we parameterize our semantics by a conversion function, 5 : v — ► v, to which Auvar provides an interface 
through its convert language form. The conversion function can arbitrarily convert between representations of values 
as threshold sets and representations as A-terms. It is optional in the sense that providing an identity or empty function 
is acceptable, and leaves Alvsi- sensible but less expressive (i.e., threshold sets are still first-class values, but usable 
only for passing to get and put)(^] 

4 Proof of Determinism for A^ar 

Our main technical result is a proof of determinism for the ALVar language. The complete proofs appear in AppendixfA] 

4.1 Framing and Renaming 

Figure|6]shows a frame rule, due to O'Hearn et al. |20 l, which captures the idea that, given a program c with precondi- 
tion p that holds before it runs and postcondition q that holds afterward, a disjoint condition r that holds before c runs 
will continue to hold afterward. Moreover, the original postcondition q will continue to hold. For Ai^ar, we can state a 
property that is analogous to the frame rule, but to do so we have to define a notion of non-conflicting stores. Given a 
transition (S; e) < — ► (S'; e'), the set dom(S') — dom(S) is the set of names of new store bindings created between 
(S; e) and (S 1 ; e'). We say that a store S" is non-conflicting with the transition (S; e) < — ► (S'\ e') iff dom(S") does 
not have any elements in common with dom(S') — dom(S). 

Definition 5. A store S" is non-conflicting with the transition (S; e) 1 — ► (S"; e') iff (dom(S') — dom(S)) D 
dom{S") = 0. 

Requiring that a store S" be non-conflicting with a transition (S; e) 5 — ► (S 1 ; e r ) is not as restrictive a requirement 
as it appears to be at first glance: it is fine for S" to contain bindings for locations that are bound in S', as long as 
they are also locations bound in S. In fact, they may even be locations that were updated in the transition from (S; e) 
to (S'; e'), as long as they were not created during it. In other words, given a store S" that is non-conflicting with 
(S; e) < — > (S'; e'), it may still be the case that dom(S") has elements in common with dom(S), and with the subset 
of dom(S') that is dom(S). 

Renaming Recall that when Alvbi programs split into two subcomputations via the E-ParApp rule, the subcompu- 
tations' stores are merged (via the lub operation) as they are running. Therefore we need to ensure that the following 
two properties hold: 

9 A reasonable alternative definition of Alvm would remove threshold set values entirely and require that threshold set inputs and outputs to 
get/put be implicitly converted. Yet the language is deterministic even in its more general form — with first-class threshold sets — and we do not 
want to unduly restrict the language. 
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1. Location names created before a split still match up with each other after a merge. 

2. Location names created by each subcomputation while they are running independently do not match up with 
each other accidentally — i.e., they do not collide. 

Property (2) is why it is necessary to rename locations in the E-ParApp (and E-ParAppErr) rule. This renaming is 
accomplished by a call to the rename metafunction, which, for each location name I generated during the reduction 
(S; ei) c — > (Si; e\ ), generates a name that is not yet used on either side of the split and substitutes that name into 
(Si; e'i) in place of ZpjWe arbitrarily choose to rename locations created during the reduction of (S; ei), but it would 
work just as well to rename those created during the reduction of (S; e2). 

Definition 6. The rename metafunction is defined as follows: 

rename^-, •,-) : a x S x S — > a 

rename((S'; e),S",S) = (S"; e) [h := l[] . . . [l„ := l' n ] 

where: 

• . . . , l n } — dom(S') — dom(S), and 

• {l'x, . . . , l' n } is a set such that l[ g (dom(S') U dom(S")) for i S [l..n]. 

However, property (1) means that we cannot allow a-renaming of bound locations in a configuration to be done at will. 
Rather, renaming can only be done safely if it is done in the context of a transition from configuration to configuration. 
Therefore, we define a notion of safe renaming with respect to a transition. 

Definition 7. A renaming of a configuration (S; e) is the substitution into (S; e) of location names l[, . . . , l' n for 
some subset ?i, . . . , l n of dom(S). 

Definition 8. A safe renaming of (S'; e') with respect to (S; e) c — ► (S'; e') is a renaming of (S'; e') in which the 
locations li, . . . , l n being renamed are the members of the set dom(S') — dom(S), and the names l[, . . . , l' n that are 
replacing li, . . . , l n do not appear in dom(S'). 

If (S"; e") is a safe renaming of (S'; e') with respect to (S; e) 5 — ► (S'; e'), then S" is by definition non-conflicting 

with (S; e) <^-> (S'; e'). 

4.2 Renaming Lemmas 

With the aforementioned definitions in place, we can establish the following two properties about renaming. Lemma[T] 
expresses the idea that the names of locations created during a reduction step are arbitrary within the context of that 
step. It says that if a configuration (S; e) steps to (S'; e'), then (S; e) can also step to configurations that are safe 
renamings of (S'; e') with respect to (S; e) 5 — ► (S'; e'). 

Lemma 1 (Renaming of Locations During a Step). If(S; e) 5 — ► (S'; e') (where (S'; e') 7^ errorj anrf {Zi, . . . , /„} = 
dom(S') — dom(S), then: 

For all sets . . . , Z^} smc/z f/iaf ^ ^ dom(S') for i S [l..n]: 

[C^S'(/„)];e'[/i := . . . [i w := Q) 

where S 0 idlocs is defined as follows: dom(S 0 idi 0 cs) — dom(S), and for all I £ dom(S 0 idi ocs ), S 0 uiocs(l) = 

10 Since Alvbi locations are drawn from a distinguished set Loc, they cannot occur in the user's domain D — that is, locations in Al\% may not 
contain pointers to other locations. Likewise, A-bound variables in e are never location names. Therefore, substitutions like the one in Definition|6] 
will not capture bound occurrences of location names. 



(S; e) — > 

(Soldlocsih l— * & (h)] ■ ■ ■ 
U errorj, 
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Proof. See Appendix, Section A. 1 □ 



Finally, Lemma [2] says that in the circumstances where we use the rename metafunction, the renaming it performs 
meets the specification set by Lemma[T] 

Lemma 2 (Safety of rename). If (S; e) c — ► (S'\ e') (where (S 1 ; e') ^ error) and S" ^ T s , then: 

(S; e) c — > rename((S'; e'),S",S). 

Proof. See Appendix, Section[A2] □ 

4.3 Supporting Lemmas 

Lemmas [3] |4] and|5]express three key properties that we need for establishing determinism. Lemma|3]expresses a local 
reasoning property: it says that if a transition steps from (S; e) to (S'\ e'), then the configuration (S Us S"; e), where 
S" is some other store (e.g., one from another subcomputation), will step to (S'UgS"; e'). The only restrictions on S" 
are that S' Us S" cannot be Ts, and that S" must be non-conflicting with the original transition (S; e) < — ► (S 1 ; e'). 
Like the frame rule, the Independence lemma allows us to "frame in" a larger store around e and still finish the 
transition with e', with the non-conflicting requirement ruling out name conflicts caused by allocation. 

Lemma|4]handles the case where S"U 5 S" — T5 and ensures that in that case, {SUsS"; e) steps to error. In either 
case, whether the transition results in (S' Us S"; e') or in error, we know that it will never result in a configuration 
containing some other e" ^= e'. Finally, Lemma|5]says that if a configuration (S; e) steps to error, then evaluating e 
in some larger store will also result in error. 

Lemma 3 (Independence). If (S; e) <■ — ► (S'\ e') (where (S'; e') ^ error), then for all S" such that S" is non- 
conflicting with (S; e) 5 — > (S"; e') and S' Us 5"' =/= Ts: 
(SU S S"; e) (S'U S S"; e'). 

Proof. See Appendix, Section[A3] □ 

Lemma 4 (Clash). If (S; e) ' — > (S'; e') (where (S'; e') ^ error), then for all S" such that S" is non-conflicting 
with (S; e) < — > (S'; e') and S' U s S" = T s : 
(S Us S"; e) terror. 

Proof. See Appendix, Section|A4] □ 
Lemma 5 (Error Preservation). If(S; e) = — > error and S U s S', then (S 1 ; e) 1 — > error. 

Proof. See Appendix, Section|A5] □ 

4.4 Diamond Lemma 

Lemma[6]does the heavy lifting of our determinism proof: it establishes the diamond property (or Church-Rosser prop- 
erty j4|), which says that if a configuration steps to two different configurations, there exists a single third configuration 
to which those configurations both step. 

Lemma 6 (Diamond). If a < — ► a a and a 5 — > then there exists a c such that either: 

• a a 5 — ► er c and Ob c — > &c> or 

• there exists a safe renaming a' b of o~b with respect to a c — > o~b, such that a a 1 — > a c and a' h 5 — ► a c . 

Proof. See Appendix, Section [A6*1 □ 
We can readily restate Lemma|6]as Corollary [TJ 

Corollary 1 (Strong Local Confluence). If a 5 — > a' and a < — > a", then there exist cr c ,i,j such that a' 5 — > l a c and 

a" — > J a c and i < 1 and j < 1. 

Proof. Choose i = j = 1. The proof follows immediately from Lemma|6] □ 
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By induction hypothesis, there exist a c , o c such that To show: There exists a such that 

(5; ei > (S; % ) (S^e,) 

/ X / X ^ 

1 (= < 5 Ci ; OT err ° r ) 1 (= ( S Bji e n,> ° r ermr ) 

Figure 7: Diagram of the subcase of Lemma [6] in which the E-ParApp rule is the last rule in the derivation of both 
a c — ► a a and a c — > Uh- We are required to show that, if the configuration (S; e\ e-z) steps by E-ParApp to two 
different configurations, (S ai Us S a2 ; e ai e a2 ) and (Sb 1 Sb 2 ; eb 2 ), they both step to some third configuration 
cr c . 

4.5 Confluence Lemmas and Determinism 

With Lemma [6] in place, we can straightforwardly generalize its result to multiple steps, by induction on the number 
of steps, as Lemmas|7][8] and [9] show, p] 

Lemma 7 (Strong One-Sided Confluence). If a c — ► a' and a 5 — > m a" , where 1 < m, then there exist a c , i,j such 
that a' ' — ►* <j c and a" 5 — > J a c and i < m and j < 1. 



Proof. See Appendix, Section A. 7 □ 



Lemma 8 (Strong Confluence). If a < — a' and a 1 — >' n a" , where 1 < n and 1 < m, then there exist a c , i,j such 
that a' ' — > l cr c and a" 5 — > J a c and i < m and j < n. 



Proof. See Appendix, Section A. 8 □ 

Lemma 9 (Confluence). If a 5 — >* a' and a 1 — >* a", then there exists a c such that a' 5 — >* a c and a" c — >* a c . 

Proof. Strong Confluence (LemmaJH]) implies Confluence. □ 

Theorem 1 (Determinism). If a c — >* a' and a 1 — >* a", and neither a' nor a" can take a step except by E-Refl or 
E-ReflErr, then a' = a". 

Proof. We have from Lemma[9]that there exists a c such that a' 5 — >* a c and a" ' — >* a c . Since a' and a" can only 
step to themselves, we must have a' = a c and a" = a c , hence a' = a". □ 



5 Modeling Other Deterministic Parallel Models 

In this section, we present evidence that the Acvar programming model is general enough to subsume two rather dif- 
ferent families of deterministic -by-construction parallel computation models. The first category is single-assignment 
models, from which we'll take Intel's Concurrent Collections framework |7] and Haskell's monad-par library [ 18] 
as two examples. The second is data-flow networks, specifically Kahn process networks (KPNs) [15). In Section [7] 
we discuss additional models that are related to, but not directly modeled by, ALVar- 

"Lemmas|7][8] and[9]are nearly identical to the corresponding lemmas in the proof of determinism for Featherweight CnC given by Budimlic 
et We also reuse Budimlic et al.'s naming conventions for Lemmas [5] through [6] but the statements and proofs of those lemmas differ 

considerably in our setting. 
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5.1 Concurrent Collections 



In Section 2.4 we mentioned the Featherweight CnC language and its monotonically growing memory store. Feather- 
weight CnC is a simplified model of the Concurrent Collections (CnC) [7 1 language for composing graphs of "steps", 
more commonly known as actors, which are implemented separately in a general-purpose language (C++, Java, 
Haskell, or Python). To begin execution, a subset of steps are invoked at startup time. Each step, when executed, 
may perform puts and gets on global, shared data collections (tables of IVars), as well as send messages to invoke 
other steps. The steps themselves are stateless, except for the information they store externally in the aforementioned 
tables. 

The role of monotonicity has been understood, at least informally, in the design of CnC. However, this has not — 
until now — led to a treatment of shared data collections as general as X\y m . Acvar subsumes CnC in the following 
sense. If the language used to express CnC steps is the call-by-value A-calculus, then CnC programs can be translated 
to Alvbi; each step would become a function definition, generated in the following way: 

• Each step function takes a single argument (its message, or in CnC terminology, its tag) and returns {} — our 
unit, the empty threshold set — being executed for effect only. 

• All invocations of other steps (message sends) within the step body, are aggregated at the end of the function 
and performed inside a let par. This is the sole source of parallelism. The aggregation can be accomplished 
either statically, by a program transformation that moves sends, or by dynamic buffering of the outgoing sends. 

• The rest of the body of a step is translated directly: puts on data collections become ALVar puts; gets become 
become A^var gets. 

The following skeleton shows the form of a program converted by the above method. It first defines steps, then 
launches the initial batch of "messages", and finally reads whatever result is desired. 



let stepl = Xmsg. get . . . ; put ... ; 

let par _ = stepl . . . 
_ = step2 . . . 
_ = step2 . . . 

in{} 

in let step2 = . . . 

in let datal = new - - global data collections 
in let par _ = stepl 33 - - invoke initial steps 

_ = step2 44 
in convert (get datal key) - - retrieve final result 

Somewhat surprisingly, the CnC programming model is not implementable in a parallel call-by-value A-calculus ex- 
tended only with IVars. In fact, it was this observation that began the inquiry leading to the development of Ai^ar- 
The reason is that CnC provides globally scoped, extensible tables of IVars, not just IVars alone. While a A-calculus 
augmented with IVars could model shared global IVars, or even fixed collections of IVars, it is, to our knowledge, 
impossible to create a mutable, extensible table data structure with IVars alone. 

Finally, if there were not already a determinism result for CnC (which is previous work by the second author and 
others |7|), one could bootstrap determinism by proving that every valid step in a CnC semantics maps onto one or 
more evaluation steps for the translated version under the ALVar semantics; that is, the A^ar encoding simulates all 
possible executions of the CnC program, and since it yields a single answer, so does the CnC program. 



5.2 The monad-par Haskell library 

The monad-par package for Haskell [ 18 1 provides a parallel deterministic programming model with an explicit fork 
operation together with first-class IVars. monad-par uses explicit sequencing via a monad, together with Haskell's 
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lazy evaluation. To translate monad-par programs to ALVar, evaluation order can be addressed using standard tech- 
niques, and ALVar can model monad-par's fork operation with let par, using the method in Section 3.1 But because 
monad-par has no join operations (IVar gets being the only synchronization mechanism), it would be necessary to 
use continuation-passing style in the translation. If the original monad-par program forks a child computation and 
returns, the translated program must invoke both the fork and its continuation within a let par expression. 

Another wrinkle for translation of monad-par programs into A^ar is that while monad-par IVars may contain 
other IVars, LVars cannot contain LVars. This problem can be overcome by using a type-directed translation in which 
ach IVar is represented by the wide, height-three lattice shown in Figure^a), and multiple IVars are modeled by prod- 
uct lattices. For example, a location of type IVar (IVar Int, IVar Char ) in monad-par would correspond 
to a lattice similar to that pictured in Figure |2|b). Chaining IVar type constructors, e.g., IVar (IVar (...)), 
would simply add additional empty states, repeatedly lifting the domain with a new _L. All these types create larger 
state spaces, but do not pose a fundamental barrier to encoding monad-par IVars as LVars. 

Although A^ar is a calculus rather than a practical programming language, the exercise of modeling monad-par 
in Aijvar suggests practical extensions to monad-par. For example, additional data structures beyond IVars could be 
provided (e.g., maps or tries), using the ALVar translation to ensure determinism is retained. 



5.3 Kahn Process Networks 

Data-flow models have been a topic of theoretical flTSl and practical lfT4l study for decades. In particular, Kahn's 
1974 paper crystallized the contemporary work on data-flow with a denotational account of Kahn process networks 
(KPNs) — a deterministic model in which a network of processes communicates through single-reader, single-writer 
FIFO channels with non-blocking writes and blocking reads. Because A L var is general enough to subsume KPNs, it 
represents a step towards bringing the body of work on data-flow into the broader context of functional and single- 
assignment languages. 

To map KPNs into ALVar, we represent FIFOs as ordered sequences of values, monotonically growing on one end 
(i.e., channel histories). In fact, the original work on KPNs lfT5l used exactly this representation (and the complete 
partial order based on it) to establish determinism. However, to our knowledge neither KPNs nor any other data-flow 
model has generalized the data structures used for communication beyond FIFOs to include other monotonically- 
growing structures (e.g., maps). 

An IVar representing a FIFO has a state encoding all elements sent on that FIFO to date. We represent sequences 
as sets of (index, value) associations with subset inclusion as the order C. For example, {(0, a), (l,b)} encodes a 
two-element sequence. This makes it convenient to write threshold sets such as {(0, n) \ n £ N}, which will match 
any state encoding a channel history with a natural number value in position 0. 

In this encoding, the producers and consumers using a FIFO must explicitly keep track of what position they read 
and write, i.e., the "cursor". This contrasts with an imperative formulation, where advancing the cursor is a side effect 
of "popping" the FIFO. A proper encoding of FIFO behavior writes and reads consecutive positions onlyp] 

But what of the deterministic processes themselves? In Kahn's original work, they are treated as functions on 
channel histories without any internal structure. In a ALVar formulation of KPNs, they take the form of recursive 
functions that carry their state (and cursor positions) as arguments. In Figure [8] we use self-application to enable 
recursion, and we express a stream filter f ilterDups that prunes out all duplicate consecutive numbers from a 
stream. 

Figure [8] assumes quite a bit in the way of syntactic sugar, although nothing non-standard. Church numerals would 
be needed to encode natural numbers, as well as a standard encoding of booleans. Because the encoding of Figure [8] 
will only work for finite executions, the ant argument tells f ilterDups how many input elements to process. The 
fourth argument, 1st, tracks the previously observed element on the input stream, that is, the state of the stream 
transducer. The second and third arguments to f ilterDups are the cursors that track positions in both the input and 
output streams. The convert function is necessary for computing threshold sets based on the values of cursors. 

This technique is sufficient for encoding arbitrary KPN programs into A L v a r- It is by no means a natural expression 
of this concept, especially due to the fact that the input and output stream cursors must be tracked explicitly. However, 

12 In the Alvut abstraction we don't address concrete representations or storage requirements for LVar states and threshold sets. In a practical 
implementation, one would expect that already-consumed FIFO elements would be garbage-collected, which in turn requires strict enforcement of 
consecutively increasing access only. 
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let f ilterDups = Xf i\ i 2 1st cnt. 
let next — get inp (convert ii) 
i' 2 = if (1st = next) then i 2 

else put outp (convert (i 2 , next)); (i 2 + 1) 
in if (cni = 0) then {} 
else / / (£1 + 1) i 2 next (cnt — 1) 
in f ilterDups f ilterDups 0 . . . 
where convert i = {{(i, ri)} \ n e N} 
convert (i, n) = {{(i, n)}} 

Figure 8: Process an input stream, removing consecutive duplicates, inp and outp are channels, globally bound 
elsewhere. 

with additional infrastructure for tracking stream cursors (and other state) by means of a state monad, the program 
given in Figure [8] could become significantly more idiomatic. 

6 Safe, Limited Nondeterminism 

In practice, a major problem with nondeterministic programs is that they can silently go wrong. Most parallel pro- 
gramming models are unsafe in this sense, but we may classify a nondeterministic language as safe if all occurrences 
of nondeterminism — that is, execution paths that would yield an incorrect answer — are caught and reported as errors. 
This notion of safe nondeterminism is analogous to the concept of type safety: type-safe programs can throw excep- 
tions, but they will not "go wrong". We find that there are various extensions^] to a deterministic language make it 
safely nondeterministic. Here, we will look at one such extension: exact but destructive observations. 

We take as our motivating example the shared, increment-only counter of Figure (2^c), and begin with the observa- 
tion that when the state of a shared counter has come to rest — when no more increments will occur — then its final value 
is a deterministic function of program inputs, and is therefore safe to read directly. The problem is determining when 
an LVar has come to rest. However, // the value of an LVar is indeed at rest, then we do no harm to it by corrupting 
its state in such a way that further increments will lead to an error. We can accomplish this by adding an extra state, 
called probation, to the domain D. The lattice defined by the relation C is extended thus: 

probation C T 

Vtf G D. d \£- probation 

13 While not recognized explicitly by the authors as such, a recent extension to CnC for memory management incidentally fell into this category 

ED 

let cnt = new in 
let sum = new in 
let parpi = (bump 3 sum; bumpj cnt) 
p 2 = (bump 4 sum; bumpj cnt) 
p 3 = (bump 5 sum; bumpj cnt) 
r = (get cnt 3; consume sum) 
in . . . r . . . 

Figure 9: A deterministic program that makes destructive observations. 
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We then propose a new operation, consume, that takes a pointer to an LVar /, updates the store, setting Vs state to 
probation, and returns a singleton set containing the exact previous state of I, rather than a lower bound on that state. 
The idea is to ensure that, after a consume, any further operations on I will go awry: put operations will attempt to 
move the state of I to T, which will cause the system to step to error. 

Figure [9] shows an example program that uses consume to perform an asynchronous sum reduction over a known 
number of inputs. In such a reduction, data dependencies alone determine when the reduction is complete, rather 
than control constructs such as parallel loops and barriers. In Figure [9] we use semicolon as sugar for sequential 
composition: for example, e%; e 2 rather than let _ = e\ in e 2 - We also assume a new syntactic sugar in the form of a 
bump operation that takes a pointer to an LVar and increments it by one, with bump n I as an additional shorthand for 
n consecutive bumps to /. The get cnt 3 before the call to consume serves as a synchronization mechanism, ensuring 
that all increments are complete before the value is read. Three writers and one reader execute in parallel, and only 
when all writers complete does the reader return the sum, which in this case will be 3 + 4 + 5 = 12. 

The good news is that the program of Figure [9] is correct and deterministic; it will always return the same value 
in any execution. However, the consume primitive in general admits safe nondeterminism, meaning that, while all 
runs of the program will terminate with the same value if they terminate without error, some runs of the program may 
terminate in error, in spite of other runs completing successfully. To see how an error might occur, imagine an alternate 
version of the program of Figure|9]in which get cnt 3 is replaced by get cnt 2. This version would have insufficient 
synchronization. The program could run correctly many times — if the bumps happen to complete before the consume 
operation executes — and yet step to error on the thousandth run. Yet, with safe nondeterminism, it is possible to 
catch and respond to this error, for example by rerunning in a debug mode that is guaranteed to find a valid execution 
if it exists, or by using a data-race detector which will reproduce all races in the execution in question. We have 
implemented example interpreters and a race-detector for Alvm, available at |http : //git hub . com/ rrnewton/| 
1 amb dap a r _interps| 



6.1 Syntactic Sugar for Counting 

Strictly speaking, if we directly use the lattice of Figure [2jc), the bump operation would not be possible. Therefore, 
rather than use the domain in Figure[2|c) directly, we can simulate it using a power-set lattice over an arbitrary alphabet 
of symbols {a, b,c, . . .}, ordered by subset inclusion. LVars occupying such a lattice encode natural numbers using 
the cardinality of the subset^] Thus, a blocking get operation that unblocks when the count reaches, say, 3 would take 
a threshold set enumerating all the three-element subsets of the alphabet. 

With this encoding, incrementing a shared variable I requires put I {a}, where a £ {a, b,c, . . .} and a has not 
previously been used. Thus, without any additional support, a hypothetical programmer would be responsible for 
creating a unique a for each parallel contribution to the counter. There are well-known techniques, however, for 
generating a unique (but schedule-invariant and deterministic) identifier for a given point in a parallel execution. One 
solution is to reify the position of an operation inside a tree (or DAG) of parallel evaluations. The Cilk Plus parallel 
programming language refers to this notion as the operation's pedigree and uses it to seed a deterministic parallel 
random number generator ifTTl . 

With this encoding, we can implement an expression unique, which, when evaluated, returns a singleton threshold 
set containing a single unique element of the alphabet: {a}. With the unique syntax, we can write programs like the 
following, in which two parallel threads increment the same counter: 

let sum = new in 
let parpi = (put sum unique; put sum unique) 

(Example 3) 

p-2 = (put sum unique) 
in ... 



In this case, the pi and p 2 "threads" will together increment the sum by three. Notice that consecutive increments 
performed by p 2 are not atomic. With unique in place, bump I desugars to put I unique. The unique construct could 
be implemented by a whole-program transformation over a sugared Alv<u expression. Figure 10 shows one possible 



14 Of course, just as with an encoding like Church numerals, this encoding would never be used by a realistic implementation. 
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[[unique] 



Xp. 
Xp. 
Xp 
Xp. 
Xp. 
Xp. 
Xp. 
Xp 
Xp. 



convert p 



v 



IQl 

iXv.ej 



Q 

Xv. [e] 



[new] 
[el e2] 
[put a bj 
[get a bj 



(([el] L:p) ([e2] J:p) 
put ([a] ([6] Hp) 
get ([o] L:p) ([6] ifcp) 
convert ([e] p) 



new; 



[convert e] 



Figure 10: Rewrite rules for desugaring the unique construct within Alvsi- programs. Here we use "L:", "H", "J:" 
to cons onto the front of a list that represents a path within a fork/join DAG. The symbols mean, respectively, "left 
branch", "right branch", or "after the join" of the two branches. This requires a A-calculus encoding of lists, as well 
as a definition of convert that is an injective function from these list values onto the domain D. 

implementation. It creates a tree that tracks the dynamic evaluation of applications, and shows some similarity to a 
continuation-passing style transformation fit)! . 



Work on deterministic parallel programming models is long-standing. In addition to the single-assignment and KPN 
models already discussed, here we consider a few recent contributions to the literature. 

Deterministic Parallel Java (DP J) DPJ O is a deterministic language consisting of a system of annotations for 
Java code. A sophisticated region-based type system ensures that a mutable region of the heap is, essentially, passed 
linearly to an exclusive writer. While a linear type system or region system like that of DPJ could be used to enforce 
single assignment statically, accommodating Auvar's semantics would involve parameterizing the type system by the 
user-specified domain — a direction of inquiry that we leave for future work. 

DPJ also provides a way to unsafely assert that operations commute with one another (using the commutesWith 
form) to enable concurrent mutation. However, DPJ does not provide direct support for modeling message-passing 
{e.g., KPNs) or asynchronous communication within parallel regions. Finally, a key difference between the Acvar 
model and DPJ is that Alvsi retains determinism by restricting what can be read or written, rather than by restricting 
who can read or write. 

Concurrent Revisions The Concurrent Revisions (CR) [ 16 1 programming model uses isolation types to distinguish 
regions of the heap shared by multiple mutators. Rather than enforcing exclusive access, CR clones a copy of the 
state for each mutator, using a deterministic policy for resolving conflicts in local copies. The management of shared 
variables in CR is tightly coupled to a fork-join control structure, and the implementation of these variables is similar 
to reduction variables in other languages (e.g., Cilk hyperohjects |13|). CR charts an important new area in the 
deterministic-parallelism design space, but one that differs significantly from Auvar- CR could be used to model similar 
types of data structures — if versioned variables used least upper bound as their merge function for conflicts — but 
effects would only become visible at the end of parallel regions, rather than A LVa ,'s asynchronous communication 
within parallel regions. 

Bloom and Bloom L In the distributed systems literature, eventually consistent systems [25] leverage the idea of 
monotonicity to guarantee that, for instance, nodes in a distributed database eventually agree. The Bloom language for 
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distributed database programming [ 1 1 guarantees eventual consistency for distributed data collections that are updated 
monotonically. The initial formulation of Bloom |2 1 had a notion of monotonicity based on set containment, analogous 
to the store ordering for single-assignment languages given in Definition [4] However, recent work by Conway et 
al. ]9) generalizes Bloom to a more flexible lattice-parameterized system, Bloom L , in a manner analogous to our 
generalization from IVars to LVars. Bloom L comes with a library of built-in lattice types and also allows for users to 
implement their own lattice types as Ruby classes. Although Conway et al. do not give a proof of eventual consistency 
for Bloom L , our determinism result for Alvbt suggests that their generalization is indeed safe. Moreover, although 
the goals of Bloom differ from those of Acvar, we believe that Bloom L bodes well for programmers' willingness to 
use lattice-based data structures like LVars, and lattice-parameterized languages based on them, to address real-world 
programming challenges. 

Quantum programming The ALVar semantics is reminiscent of the semantics of quantum programming languages 
that extend a conventional A-calculus with a store that maintains the quantum state. Because of quantum parallelism, 
the quantum state can be accessed by many threads in parallel, but only through a restricted interface. As a concrete 
example, the language designed by Selinger and Valiron ll22l allows only the following operations on quantum data: 
(1) "appending" to the current data using the tensor product; (2) performing a unitary operation that must, by definition, 
act linearly and uniformly on the data; and (3) selecting a set of orthogonal subspaces and performing a measurement 
that projects the quantum state onto one of the subspaces. These operations correspond roughly to Alva's new, put, and 
get. Quantum mechanics may serve as a source of inspiration when designing operations like consume that introduce 
limited nondeterminism. 

8 Conclusion 

As single-assignment languages and Kahn process networks demonstrate, monotonicity serves as the foundation of 
deterministic parallelism. Taking monotonicity as a starting point, our work generalizes single assignment to mono- 
tonic multiple assignment parameterized by a user-specified lattice. By combining monotonic writes with threshold 
reads, we get a shared-state parallel programming model that generalizes and unifies an entire class of monotonic 
languages suitable for asynchronous, data-driven applications. Our model is provably deterministic, and further pro- 
vides a foundation for exploration of limited nondeterminism. Future work will investigate implementation strategies, 
formally establish the relationship between A^var and other deterministic parallel models, and prove the more limited 
guarantees provided by ALVar + consume. 
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A Proof of Determinism 



Definition 9. Two stores S and S' are equal iff: 

1. S = T s and S' = T s , or 

2. dom(S) = dom(S') and for all I E dom(S), S(Z) = S'(l). 

A.l Renaming of Locations During a Step 

Lemma 1 (Renaming of Locations During a Step). If (S; e) 5 — ► (S'; e') (where (S'; e') ^ error) goto? {Zi, . . . , l n } — 
dom(S') — dom(S), then: 

For all sets {Z' 1; . . . ,l' n } such that l[ (£ dom(S') for i 6 [l..n]: 

(S; e) 

(5* oW/ot ,[/i i * S'(Zi)] . . . [l' n h- S'(Z„)]; e'[h := l[] . . . [l n := Q) 
(yt errorj , 

where S 0 uu>cs is defined as follows: dam(S 0 Miocs) = dom(S), and for all I 6 dom(S 0 idioes)> S 0 uuocs(l) = S'(Z). 

Proof. By induction on the derivation of (S; e) c — ► (S'; e'), by cases on the last rule in the derivation. Since 
(S'; e') ^ error, we only need to consider rules that step to non-error configurations. In cases where dom(S') — 
dom(S) = 0, then the only possible set {l[, . . . , l' n } is also 0, so in such cases we need only show that (S; e) c — > 

(Soldlocsj 

A.l.l E-Refl 

• E-Refl: 

Given: (S; e) < — ► (S; e). 

To show: (S; e) c — ► {S 0 ui ocs ; e), where S 0 idi ocs is defined as follows: dom(S 0 idi OC s) — dom(S), and for all 
I € dom(Soidiocs), Soaocsil) = S(l). 

Since dom(S 0 idlocs) = dom(S) and since for all I £ dom(S 0 idiocs) > Soldiocs{l) = £(0> we nave by Definition [9] 
that Soidhcs = S, so the case is immediate by E-Refl. 

A.1.2 E-ParApp 

• E-ParApp: 

(NB: For simplicity, we elide renaming of (Si; e^) in this case, and assume without loss of generality that 
location names created during the transition (S; ei) c — ► (Si; e^) are distinct from those created during the 
transition (S; e 2 ) 5 — ► (S2; e' 2 ).) 

Given: (S; ei e 2 ) 1 — ► (Si Us S 2 ; e' x e' 2 ) and {Zi, . . . , l n } = dom(S\ Us S 2 ) — dom(S). 
To show: For all sets . . . , l' n } such that l[ ^ dom(Si Lis S 2 ) for i 6 [l..n], 

(S; ei e 2 ) (S oW/oCT [Zi ^ (Si U s S 2 )(Zi)] . . . [l' n ~ (S 1 U s S 2 )(Z n )]; (ei e' 2 )[Zi := Z' x ] . . . [Z„ := 

where S 0 uiocs is defined as follows: dom{S 0 idi 0 cs) = dom(S), and for all Z € dom(S 0 idi 0 cs), S 0 idiocs(l) — (Si Us 

Consider arbitrary {/' l5 . . . , Z^} such that Z^ ^ dom(Si Ug S 2 ) for i 6 [l..n]. 

From the first two premises of E-ParApp, we have that (S; ei) 5 — > (Si; e^) and (S; e 2 ) c — > (S 2 ; e 2 ). 
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Since we assume that location names created during (S; ei) c — ► (Si ; e\) are distinct from those created during 

(S; e 2 ) c — ► (S 2 ; e' 2 ), and since {Zi, . . . ,l n } = dom(Si U5 S 2 ) — dom(S), then we have that dom(Si) — 
dom(S) = ...,1k} and dom(S 2 ) — dom(S) = {h+i, ■ ■ ■ , In} for some k such that {Zi, . . . ,lk} H 
{Zfe+i, . . . , l n j = 0 and {h, . . . , l k } W {l k+1 , ...,l n } = {h, ... , l n }. 

Then, by IH, we have the following two facts: 

1. For all sets ...,l' k } such that l[ $ dom(Si) for i e [l..fc]: 

(S; ei) (5„ /fa i[i'i -> Si(/i)] . . . [l' k ~ Si(Z fe )]; eifa := «1] . . . [Z fe := Z^]) ^ error, 

where S omocsl is defined as follows: dom{S 0 i d i ocsl ) = dom(S), andforallZ <G dom(S 0 ui ocsl ), S 0 i d i ocsl {l) = 
Si(l). 

2. For all sets {Z fe+1 , . . . , l' n } such that l' t $ dom{S 2 ) for i e [fc+l..n]: 

(S; e 2 ) < — ► (5 oWto2 [4+i ^ S 2 (Zfe+i)] . . . [l' n ^ S 2 (Z„)]; e 2 [Z fe+ i := l' k+1 ] ...[l n := Q) ^ error, 
where S oWto2 is defined as follows: dom(S oM i ocs2 ) = dom(S), and for all Z € dom(S 0 i dhcs2 ), S oMocs2 {l) = 

s 2 (z). 

Instantiate facts (1) and (2) with . . . , l' k } and {l' k+1 , . . . ,l' n }, respectively, where {![,..., l' k }r\{l' k+l7 . . . , l' n } = 
<D a nd{l[,...,l k }U{l k+1 ,...,l' n } = {l[,...,l' n }. 

Note that since l\ £ dom(Si U s S 2 ) for i e [l..n], it is also the case that l\ £ dom(Si) for i e [l..fc] and that 
l\ £ dom(S 2 ) for i e [k+l..n]. Therefore, we have that: 

1. (S; ei) < — ► {SoMiocsAl'x i-» S'i(Zi)] . . . [Z fc ^ Si(Z fe )]; e' x [Z x := Z'J . . . [Z fe := Z fe ]) 7^ error, where S oMocsl 
is defined as follows: dom(S 0 uiocsi) = dom(S), and for all I € dom(S 0 i d i„ csl ), S 0 idiocsi{l) — Si(Z). 

2. (S; e 2 ) (S oldlocs2 [l' k+l ^ S 2 {l k+1 )\ . . .[l' n ^ S 2 (l n )}; e' 2 [l k+1 := l' k+1 ]...[l n := Q) + error, 
where S oMocs2 is defined as follows: dom{S omocs2 ) = dom(S), and for all Z € dom(S 0 i d i ocs2 ), S 0 i d i ocs2 (l) = 
S 2 (l). 

Since 

{SoidiocsAA -> S x {h)] . . . [l' k ~ Si(l fc )]; e'llZj := l[] ...[l k := Z fc ]) ^ error 

and 

(S o/dte2 [Z^. +1 1 ^ 5 2 (Z fc+ i)] • • • [Zjj i-» S 2 (Z n )]; e 2 [Z fe+ i := Z fc+1 ] . . . [Z„ := ZjJ) 7^ error, 
we have that 

SoWtocuIZ'i !-» -S'i(Zi)] . . . [Z^ h-» Si (Zfe)] 7^ T s 

and 

s 0 /^ ocj2 [z fe+ i 1 ^ s 2 (Zfe+i)] . . . [4 h s 2 (z„)] 7^ t s . 

Further, since SiU s S 2 7^ T s (from the third premise of E-ParApp) and since . . . , Z fc }n{Z' fe+1 , . . . , l' n } = 0, 
we have that 

S oM / ocs iK h-> Si(Zi)] ... [Zfe Si (Z fe )] U 5 S oUlocs2 [l' k+1 1 ^ S 2 (Z fe+ i)] . . . [Z^ i-» S 2 (Z„)] 7^ T s . 

Therefore, by E-ParApp, we have that (S; e\ e 2 ) steps to 

(S 0 u/oe.5i[Z'i i-> Si(Zi)] . . . [l k <—> Si (Zfe)] Us S 0 i d i ocs2 [l k+1 1 ^ S 2 (Z fc+ i)] . . . [Z n i-> S 2 (Z„)]; 
e'jZi := Zi] ... [Z fe := Z fc ] e 2 [Z fc+ i := Z fc+1 ] . . . [Z„ := Z^]). 

It remains to show that the above configuration is equivalent to 

{SoWocS'i -> (Si Us S 2 )(Zi)] . . . [Z; ^ (Si Us S 2 )(Z„)]; (e[ e' 2 )[h := ii] . . . [Z„ := Z^]), 
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which we show as follows. 

First, since dom(S 0 Miocs\) — dom{S 0 idiocsi) — dom(S), we have that: 

(S 0 ldlocsl[ll >-> Sl(h)] . . . [Z' fe H-> Si(l k )]) U S (S 0 ldbes2[l'k+1 ^ S 2 (Zfc+l)] ■ ■ • [l' n l-> S 2 (Z n )]) 

= {Soidiocsi Us S oW/o „ 2 )[Zi i-> Si(Zi)] . . . [/£ 1-* Si(Z fe )][Z' fc+1 h-> 5 2 (Z fc+ i)] . . . [l' n i-> S 2 (Z n )i- 

Note that dom{S 0 i d i ocsl U s S 0 i d i ocs2 ) = dom(S). Therefore dom(S 0 i dlocsl U s S old i ocs2 ) = dom(S oMocs ). Further, 
by Definition [3] we have that for all Z S dom(S M i ocsl U s S oU i ocs2 ), (S„i dlocsl U s Soldlocs'ijiP} — Soldlocsli}) LI 
SoMocszil) = Si(l) U S 2 (Z) = (Si Us S 2 )(l) = SoidhcsQ)- Therefore, by Definition^ we have that S 0 uiocn u s 
S,,idiocs2 — Soidtocs- Continuing from above, then, we have that 

{Soldlocsl Us S 0 Mi ocs2 )[l'i l-> Si(h)] . . . [l' k H-> Si(l k )][l' k+1 S 2 (Zfc+l)] . . . [4 i-» S 2 (Z„)] 

= S oldlocs [l'i >- 5i(Zi)] ...[/;•-» Si(Z fe )][Z' fe+1 ^ S 2 (Z fe+ i)] ...[«;-» S 2 (Z„)]. 

Next, since {Zi, . . . , Z&} n {Zfc+i, ■ • ■ , Z„} = 0, we have that U ^ dom(S 2 ) for i G [l..fc] and Z-j ^ dom(Si) for 
i S [A;+l..n]. Therefore Si(Z;) = (£1 U s S 2 )&) for i e [l..k] and S 2 (Zj) = (Si U s S , 2 )(Z l ) for i G [fc+l..n], 
and so we have 

s oWto [zi 1 * Sxih)} ...[i' k ^ SxihW^ 1 * s 2 (i fc +i)] . . . [z; 1 * s 2 (z n )] 

= S oW , OCJ [Zi 1 ^ (Si Us 5 2 )(Zi)] ...&»-> (5i Us S 2 )(Z fc )][Z' fc+1 ^ (5 X U s S 2 )(Z fc+1 )] . . . h- (Si U s S 2 )(Z„)] 

= SoMoaS't ^ (Si Us S 2 ){h)} ...[l' n » (Si U S S 2 )(Z„)]. 

Finally, we need to show that (ei e 2 )[Zi := Z^] . . . [l n := l' n ] is equivalent to 

e'JZi := Zi] . . . [Z fe := l' k ] e' 2 [l k+ i := l' k+1 ] . . . [l n := Q. 

Here, note that h+i, ■ ■ ■ , Z„ cannot occur in ei and . .,l k cannot occur in e 2 . Therefore the above expression 
is equivalent to 

e[[h : =Ii]...p n := ZJJ e' 2 [Zi := Z'J . . . [Z n := Z^] , 
which is equivalent to (ei e 2 )[Zi := Zi] . . . [l n := l' n ]. Therefore we have that 

(5; ei e 2 ) (S oldlocs [l[ -» (Si U s S 2 )(Zi)] . . . ft, (Si U s S 2 )(Z„)]; (ei e' 2 )[Zi := l[] . . . [l n := Q), 
as we were required to show. 

A.1.3 E-PUT-1 
• E-PUT-1: 

Given: (S; put e\ e 2 ) <■ — > (Si; put e[ e 2 ) and {Zi, ...,l n } = dom(Si) — dom(S). 
To show: For all sets . . . , l' n } such that l\ ^ dom{S\) for % S 

(5; put e x e 2 ) ^ (S oldlocs [l[ ^ S^h)] ...[l' n » S x (Z n )]; (put ei e 2 )[Zi := l[] . . . [l n := ZJJ), 

where S 0 i d i ocs is defined as follows: dom(S 0 i d i 0 cs) = dom(S), and for all Z € dom(S 0 idiocs), S 0 i d i ocs {l) = S\{1). 

Consider arbitrary . . . , Z^} such that l\ ^ dom{S\) for i 6 [l..n]. 

From the premise of E-PUT-1, we have that (S; e%) 1 — > (Si; e'i). By IH we have that 

(5; ei) (S oMocs [Zi ^ Si(Zi)] ...[l' n ~ Si(Z„)]; e'jZi := Z'J . . . [Z„ := Q). 

Therefore, by E-PUT-1 we have that: 

(5; put ei ea) — (S oHtocs [Zi ^ . . . [Z^ ^i(Z„)]; put e'JZi := Zi] ...[/„ := Q e 2 ). 
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Note that £ x , . . . l n do not occur in e 2 , for if some li occurred in e 2 , then we would have li £ dom(S), which 
contradicts {7 X , . . . , /„} = dom(Si) — dom(S). Therefore e 2 — e 2 [h '■= i'xl ■ ■ ■ [In '■— 4]> an< ^ so we nave: 

(S; put ei e 2 ) (SW S K i ► Si(ii)] .. . [4 ~ Sx(l n )}; pute'^/i := 4] ...[l n ■= Q e*[h := 4] ...[/„ := CI), 
which is equivalent to 

(5; put e x e 2 ) (S oHto [l x -> Si(ii)] ■ • ■ [4 » ^ (/„)]; (put ei e 2 )[l x := l[] . . . [l n := Q), 
as we were required to show. 

A.1.4 E-PUT-2 

• E-PUT-2: 

Given: (S; put e x e 2 ) c — ► (S 2 ; put ei e 2 ) and {Z x , ... ,l n } = dom(S 2 ) — dom(S). 
To show: For all sets {l[, . . . , l' n } such that l\ ^ dom(S 2 ) for i G [l..n], 

(5; put e x ea) (S oUtocf ['i Safa)] • • ■ [4 ^ 5a(«n)]; (put ex e 2 )[l x := «i] . . . [l n := Q), 

where S 0 uu>cs is defined as follows: dom(S 0 idi OC s) — dom(S), and for all I £ dom(S 0 idiocs)> S 0 idiocs(l) = S 2 (l). 

Consider arbitrary {l[, . . . , l' n } such that l\ ^ dom(S 2 ) for z S [l..n]. 

From the premise of E-PUT-2, we have that (S; e 2 ) c — > (S 2 ; e 2 ). By IH we have that 

(S; e 2 ) (S oW/o „K i ► S 2 (h)} . . . [l' n ~ S 2 (l n )}; e' 2 [h := i£] . . . [Z„ := 4]). 

Therefore, by E-PUT-2 we have that: 

(5; put ex e 2 ) OW.^ h- S 2 (l x )] . . . [4 h- S 2 (Z n )]; put e x e' 2 [Z x := l[] . . . [l n := Q). 

Note that li, . . .l n do not occur in ex, for if some li occurred in ex, then we would have li £ dom(S), which 
contradicts {li, . . . , /„} = dom(S 2 ) — dom(S). Therefore e x = ex[h '•= l[] ■ ■ ■ [In := 4L anc ^ so we nave: 

(5; put ei e a ) -> S 2 (ii)] ■ ■ ■ [4 - •%(/„)]; putci[ii := li] . . . [l n ■= Q e' 2 [h := l[] ■ ■ ■ [l n ■= Q), 

which is equivalent to 

(S; put ex e 2 ) ^ (S old io CS [l'x h-> S 2 (h)} ...&«-> S 2 (l„)]; (put e x e 2 )[Z x := l[] . . . [l n := 4]>, 
as we were required to show. 

A.1.5 E-PutVal 

• E-PutVal: 

Given: (S; put I {dx}) ' — > i— > di U d 2 ]; {}) (note that no new locations are created during this transition, 
since we already have I £ dom(S) from the S(l) — dx premise of E-PutVal). 

To show: (S; put I {dx}) c — ► (S 0 idiocs\ {})> where S 0 idi 0C s is defined as follows: dom(S 0 idi 0 cs) — dom(S), and 
for all V £ dom{S„idiocs), S om oc&') = (S[l ^ dx U d 2 ])(r). 

Since dom(S 0 idi OC s) = dom(S) — dom(S[l h- > di U d 2 ]) and since for all /' G dom(S 0 idi OC s), Soidlocs{l') — 
(S[l h- > d x U d 2 ])(Z'), we have by Definition [9] that SoWocs — S[l h- > di U d 2 ], so the case is immediate by 
E-PutVal. 
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A.1.6 E-Get-1 



Case E-Get-1: Analogous to E-Put-1. 
A.1.7 E-Get-2 

Case E-Get-2: Analogous to E-Put-2. 

A.1.8 E-GetVal 
E-GetVal: 

Given: (S; get I Q) < — > (S; {d x }>. 

To show: (S; get I Q) c — ► (SoUiocs', {di}), where S 0 idiocs is defined as follows: dom{S 0 uu>cs) = dom(S), and 
for all I' G dom(S 0 i d ioc S ), S 0 i d i ocs (l') = S(l'). 

Since dom(S 0 idi ocs ) = dom(S) and since for all I' G dom(S 0 idi 0 cs), S 0 idi ocs (l') = S(l'), we have by Definition^ 
that Soidhcs — S, so the case is immediate by E-GetVal. 

A.1.9 E-Convert 
E-Convert: 

Given: (S; convert e) c — ► (5'; convert e') and . . . , Z„} = dom(S') - dom(S). 
To show: For all sets . . . , l' n } such that l\ ^ dom(S') for i G [l..n], 

(5; convert e) (S Mlocs [l[ » S'ih)} . . . [l' n ^ S'(l n )]; (convert e')[h := Ij] . . . [l n ■= Q), 

where S 0 mi 0 cs is defined as follows: dom(S 0 idi OC s) — dom(S), and for all I £ dom{S 0 ui 0 cs), S 0 idiocs{l) = S'{1). 

Consider arbitrary . . . , l' n } such that l\ ^ dom(S') for i G [l..n]. 

From the premise of E-CONVERT, we have that (S; e) 5 — ► (S"; e'). By IH we have that 

(S; e) (S oldlocs [l[ -> S'(ii)] • ■ ■ [C >-> S'(in)]5 e% := l[] ...[l n := CD- 
Therefore, by E-CONVERT we have that: 

(5; convert e) (S^pi » S'(h)] . . . [l' n » S'(l n )]; convert e'[h := Z^] . . . [l n := Q), 
which is equivalent to 

(S; convert e) (S Mlocs [l[ >- S'(h)] ...[l' n » S'(l n )); (convert e')[h := Jj] ...[!„ := 4]), 
as we were required to show. 

A.1.10 E-ConvertVal 
E-ConvertVal: 

Given: (S; converts) < — ► (S; S(v)). 

To show: (S; convert v) c — > (S 0 unocs\ <5(v)), where S 0 idi 0C s is defined as follows: dom{S 0 idiocs) = dom(S), 
and for all / G dom(S 0 i d i ocs ), S 0 uhc,{l) = S(Z). 

Since dom(S 0 idfocs) — dom(S) and since for all Z G dom{S 0 idiocs), S 0 idiocs(l) = S(l), we have by Definition [9] 
that S 0 idiocs = S, so the case is immediate by E-ConvertVal. 
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A.l.ll E-Beta 



• E-Beta: 

Given: (S; (Xx. e) v) < — > (S; e[x := v]). 

To show: (S; (Xx.ejv) c — ► (S 0 idiocs\ e \ x ~ u ])> where S 0 uiocs is defined as follows: dom(S 0 idi ocs ) = dom(S), 
and for all I G dom(S 0 uiocs), S 0 i d i ocs {l) = S(l). 

Since dom(S 0 idlacs) — dom(S) and since for all I G dom(S 0 idi 0 cs), S 0 idiocs(l) = S(l), we have by Definition [9] 
that Sgidiocs = S, so the case is immediate by E-BETA. 

A.1.12 E-New 

• E-New: 

Given: (S; new) < — ► (5[Z h-> _L] ; Z). 
To show: For all I' g dom(S[l i-> _L]), 

(5; new) (5 oMocs [i' ^ Z'), 

where S„idi 0 cs is defined as follows: dom{S 0 uiocs) = dom(S), and for all Z" 6 dom(S 0 idi ocs ), S 0 idi ocs (l") = 

(s[i^±])(i"). 

We have from the definition of S 0 idi ocs that dom(S 0 idi OC s) = dom(S). Then, since the transition (5; new) 1 — ► 
h- > _L]; I) does not update any existing bindings (since I ^ dom(S) from the side condition of E-New), 
Southed") = S(0 for all /" G rfom(5). So, by Definition^ S (M i ocs = S. 

Therefore, we have only to show that (S; new) 5 — ► (S[l' i— > _L]; Z'), which is immediate by E-New since 
T ^ dom(S), which follows from i' ^ dom(5'[Z i-> _L]). 

□ 

A.2 Safety of rename 

Lemma [TJ characterizes the circumstances under which location renamings are safe. In the context of a transition 
(S; e) c — ► (S"; e'), it characterizes the set of safe renamings of S' as those that can be expressed as a store S 0 idi OC s 
(whose domain is equal to the domain of S, but whose codomain may differ from that of S because of updates to 
existing bindings), extended with bindings from each new location name to the value bound by the corresponding 
location name in S'. 

The rename metafunction, on the other hand, is defined algorithmically: it takes a configuration (S'; e') and stores 
S" and S as arguments and performs capture-avoiding substitution of new location names for the corresponding old 
ones in (5"; e'), where the names to be replaced and the names they are to be replaced with are chosen based on S" 
and S. In and of itself, the rename metafunction does nothing to ensure that the renaming it performs is "safe" — it 
is up to the caller to use it correctly. Lemma [2] shows that in the circumstances where we use rename — namely, the 
circumstances where a configuration (S; e) has stepped to (S'\ e') and there exists a third store S" Tg — then the 
renaming rename((S' ; e'), S", S) meets the specification that Lemma[T|sets. 

Lemma 2 (Safety of rename). If(S; e) 5 — > (S'; e') (where (S 1 ; e') ^ error) and S" ^ T s , then: 

(S; e) 1 — > rename({S'; e'),S",S). 

Proof. From the definition of rename, we have that: 

rename((S'; e'),S",S) = (S'; e')[h :=l[]...[l n := Q 

= (S% := l[] ...[L := Q; e% := l[] ...[/„ := Q), 

where: 
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• {lx, . . . , l n } — dom{S') — dom{S), and 

• {I'x, . . . , l' n } is a set such that l[ g (dom(S') U dom(S")) for i e [l..n]. 

Therefore we need to show that (S; e) < — > (S'[h := Z' x ] . . . [l n := ZJJ; e'[Zi := Z' x ] ...[/„ := l' n ]), with {Z x , . . . , l n } 
and {Z' 1; . . . , l' n } defined as above. 

Applying Lemma[T]to (S; e) c — > (5"; e') and {Zi, . . . , /„}, we have that for all sets . . . , l' n } such that l[ 
dom(S') for i S [l..n]: 

(5; e) 

(S oldl0 as[l'i -» 5'(ii)] . . . [i; h- S'(Z„)]; e'pj := Z£] . . . [l n := l' n }), 

where S 0 uiocs is defined as follows: dom(S 0 idi 0 cs) = dom(S), and for all I G dom(S 0 idiocs)> S 0 idhcs(l) — S'(l). 

Instantiate that result with . . . , 4}. Note that since Z- g {dom(S') U dom{S")) for z g [l..n], we have that 
l' i dom(S') for i £ [l..n]. Therefore we have that 

(S; e) (S oldlocs [l'i - S'(ii)] . . . [C h- S'(l n )]; e'[h := l[] ■ ■ ■ [l„ ■= Q)- 

Since our goal is to show that 

(5; e) (S% := Z'J . . . [Z„ := Z^]; e% := l[] . . . [l n := Q), 

all that remains is to show that S'[l\ := l^] . . . [l n := l' n ] and S 0 uiiocs[^'i l— ¥ • • • [l' n 1— ¥ S'(l n )] are equal. 

By Definition [9] we have to show that: 

. dom(S% := l[] • ■ • [In := l' n ]) = dom{S 0 wocAA ^ S'(h)] ...[l' n ^ S'(l n )}), and 

• for all I" e dom(S'[h ■= l[] ■ ■ ■ [L ■= Q), 

(S'[h := l[] . . . [l n := Z'J)(Z") = (S ald u, cs [l'i -> S'(h)} ...[l' n » S'(l n )])(l"). 

For the first conjunct, dom{S 0 idiocs) = dom(S) by definition, so 

domiSom^ ^ S'(h)} . . . [l' n i * S'(l n )}) = dom(S) U ...,Q 

= dom(S)U{h,...,l n }[h :=Zi]...[Z„ := l' n ] 

= dom(S) U (dom(S') - dom(S))[h := Z' x ] . . . [Z„ := ZJJ 

= dom(S) U (rfom(S f ')[Zi := Z x ] ...[?„ := Z„] — dom(S)) 

(since U ^ dom(S)) 
= dom(S) U dom(S')[Zi := l[] . . . [Z„ := Z'„] 
= dom(5) U dom(S% := l[] . . . [l n := Q) 
= dom(S'[h := l'x]...[ln ■= Q) 

(since dom(S) C dom(S') and k ^ dom(S)). 

For the second conjunct, there are two possibilities for I": 

• I" e dom(S): 

(S% := Z;]...[Zn:= Z'J)(Z") = 5'(Z") 

(since Z^ ^ dom(S)) 

= S 0 ldlocs{} ) 

(since S 0 i dhcs (l) = S'(l) for all Z e dom(S„i d i ocs ) = dom(S)) 
= (SmiocM -» . . . [Z; ^ S"(Z„)])(Z") 

(since additional bindings are irrelevant to the lookup of I"). 



27 



(S% : = I'J ...[l n : = £])(*") - (ft - S'(ii) • ■ • C - ft(U])(0 

= (-SUoo«[ii >-> S'(ii)] ■ • ■ ft, >- s'(/„)]XO 

(since additional bindings are irrelevant to the lookup of I"). 

Therefore S'[li := [[] . . . [l n := l' n ] and S 0 idiocs[l' x l_ > ft('i)] ■ ■ ■ ['n l— * ft('n)] 816 equal. Since both their stores and 
expressions are equal, then, we have that 

rename((S'; e'), ft', ft = (S oldlocs [l' x -> S'(h)} . . . [l' n ^ S'(l n )} ; e'[l x := l[] . . . [l n := Q), 

as we were required to show. □ 



A.3 Independence 

Lemma 3 (Independence). If (ft e) <■ — ► (5'; e') (where (ft; e') 7^ error), then for all ft' such that S" is non- 
conflicting with (ft e) c — ► (ft; e') and ft Us ft' 7^ Tg: 
(Su s S";e)^(S'U s S";e>). 

Proof. Consider arbitrary ft' such that ft' is non-conflicting with (ft e) < — > (ft; e') and ft Us ft' 7^ Tg. To show: 
(SU s S";e)^(S>UsS";e>). 

The proof is by induction on the derivation of (ft e) < — > (ft; e'}, by cases on the last rule in the derivation. Since 
(ft; e') 7^ error, we only need to consider rules that step to non-error configurations. The requirement that 5" is 
non-conflicting with (ft e) c — > (ft; e') is only needed in the E-New case. 

• Case E-Refl: 

Given: (ft e) < — ► (ft e), and S U s ft' ^ Tg. 
To show: (S U s ft'; e) <^-> (S U s ft'; e). 
The proof is immediate by E-Refl. 

• Case E-ParApp: 

Given: (S; e x e 2 ) (ft U s ft; e'{ e' 2 ), and (ft U s ft) U s 5" ± T s . 
To show: (5 U S ft'; e x e 2 ) ((ft U s ft) U s 5"; ef e 2 ). 

From the premises of E-ParApp, we have that (ft e x ) 1 — > (ft; e[), (ft e 2 ) 5 — ► (ft; e 2 ), and (ft; e'f) = 
rename ((ft; ei),ft,ft. 

Since (ft U s ft) U s ft' ^ Tg, we have that ft 7^ T s . Therefore, since (ft ei) < — ► (ft; ei), by Lemma|2] 
we have that (ft e x ) c — ► reraame((ft; ei), ft, ft. Since (ft; ef) = rename((S x ; e[), ft, ft, we have that 

Since (ft U s ft) U s ft' ^ Tg, we know that ft U s ft' + T s and ft U s ft' ^ Tg. 

Therefore, by IH, we have that {SU S S"; e x ) < — ► (ftU s ft'; ef) and that (S*U S S"'; e 2 ) < — ► (ftU s ft'; e 2 ). 

Since (ft U s ft) U s ft' ^ Tg, we have that (ft U s ft') U s (ft U 5 5") ^ Tg. 

Therefore, by E-ParApp we have that (S U s ft'; e x e 2 ) 5 — » ((ft U s 5") U s (ft U s 5"'); ef e' 2 ). 

Since (ft U 5 ft') U 5 (ft U s ft) is equal to (ft U s ft) U 5 ft', we have that (S U s ft'; e x e 2 ) < — > ((ft U s 
ft) U S ft'; e'{ e' 2 ), as required. 

• CaseE-PuT-1: 

Given: (S; put e x e 2 ) = — > (ft; put e[ e 2 ), and ft U s ft' ^ Tg. 
To show: (S U s ft'; put e x e 2 ) = — > (ft U s ft'; put ei e 2 ). 

From the premise of E-Put-1, we have that (ft e x ) <■ — > (ft; ei). Since ft U s ft' 7^ T s , by IH we have that 

(5U S 5"; ei) <— > (ft U S 5"; ei). 

Therefore, by E-Put-1 we have that (S U s ft'; put e x e 2 ) 1 — > (ft U s S"; put ei e 2 ), as required. 
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Case E-PUT-2: 

Given: (S; put e x e 2 ) < — > (S 2 ; put ex e 2 ), and S 2 U s S" ^ T s . 
To show: (S U s S"; put e x e 2 ) 5 — ► (5 2 Us S"'; put ei e' 2 ). 

From the premise of E-Put-2, we have that (S; e 2 ) < — ► (S 2 ; e' 2 ). Since 5 2 Us 5"' ^ T s , by IH we have that 

(SUsS";e 2 )^(S 2 U s S";e 2 ). 

Therefore, by E-Put-2 we have that (SU S S"; put e x e 2 ) < — > (5 2 U s 5"; put ei e 2 ), as required. 
Case E-Get- 1 : Analogous to E-Put- 1 . 
Case E-Get-2: Analogous to E-Put-2. 
Case E-Convert: 

Given: (S; convert e) < — > (S'; convert e'), and S' U s S" ^ T s . 
To show: (S U s S"; convert e) < — > (S" U s S"; convert e'). 

From the premise of E-CONVERT, we have that (S; e) < — > (S'; e'). Since 5' U s S" ^ T s , by IH we have that 

(Su s S";e)^(S>U s S";e>). 

Therefore, by E-Convert we have that (S U s S"; convert e) < — ► (S' U s S"; convert e'), as required. 
Case E-Beta: 

Given: (S; (Xx, e) v) < — > (S; e[x := v]), and S U s S" ^ T«j. 
To show: (S U s S"; (Xx. e) v) « — ► (5 U s S*"; e[a: := «]). 
Immediate by E-BETA. 

Case E-New: 

Given: (5; new) c — ► (S[Z h-> _L]; Z) (where Z ^ dom(S)), S" is non-conflicting with (5; new) 5 — ► (5[Z i-> 

_L]; 0, and S[l ^ ±] Ug S" ^ T. 

To show: (S U s S"; new) < — ► (S[l ^ _L] U s S"; I). 

By E-New, we have that (S U s S"; new) < — > ((S U s S")[l' i-> _L]; I'), where V $ dom(S U s S"). One of 
the following two possibilities must hold: 

- V = Z. 

In this case, we immediately have that (5U S S"; new) < — ► {{SU S S")[l h-> _L]; I). 

- I'^l. 

In this case, we apply Lemma[T]to (S U s S"; new) < — ► ((S U s S")[l' i-> _L]; I') and {/'}. Therefore, for 
all I" such that I" (£ dom{{S U s S") [V >-> J.]), 

(5 U S 5"; new) (-W^" ^ ((S Us " W)]; I'P' := H) 

= {s 0 idiocs[i" ► -LJ; Z ), 

where S 0 uiiocs is defined as follows: dom(S 0 idu>cs) = dom(S Us S"), and for all Z € dom(S 0 idt ocs ), 

Soldlocs{l) = ({SU S S")[l'^±])(l). 

Note that since Z' ^ dom(S Us S"), S 0 idi ocs (l) = (S Us S")(l) for all Z S dom(S 0 uuocs)' Therefore, since 
dom{S 0 idhcs) — dom(S Us S") and S 0 ua ocs {l) = (S Us S")(l) for all Z e dom(S 0 idiocs)> the conditions of 
Definition [9] are satisfied, and S 0 idi 0C s — S Us S". 

Therefore, we have that for all I" such that I" $ dom((S U s S") [V i-> _L]), 

(5 U S S"; new) ((5U S S")[l" ^ ±}; I"). 

Instantiate the above with Z. Since S" is non-conflicting with (S; new) = — > (5[Z _L]; Z), we know that 
Z ^ dom(S"), and we have from the side condition of E-New that Z ^ dom(S). Therefore Z ^ dom(SUs 
S"), and since Z ^ Z', we have that Z £ rfom((SU s S")[l' i-> _L]). Therefore, (5U S 5"; new) = — > ((SU S 
5")[Z-±]; Z). 
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So, regardless of whether V = I or V ^ I, we can conclude (S U s S"; new) ' — > ((S U s S")[l i-> _L]; I). Then, 
since 5" is non-conflicting with (S; new) 5 — ► (5[Z i— > _L]; I), we have that i ^ dom(S"), and we have from 
the side condition of E-New that / ^ dom(S). Therefore, we have: 

(S U S S")[l h-> ±] = ST[I i — ^ -L] U S £"[Z i ^ J_] 

= 5 U s [I h-> _L] Us S"' Us [I h-> _L] 
= 5 Us [/ _L] Us S" 
= S[Z i — ^ _L] U S 5". 

Therefore (5 U s S"; new) < — ► h-> _L] Us S"; I), as we were required to show. 
• Case E-PutVal: 

Given: (S; put Z {d x }) < — > (S[l ^d x U d 2 ]; {}), and S[l h-> d x U d 2 ] U s 5"' ^ T s . 
To show: (S U s S"; put i {di}) (S[Z ^ di U d 2 ] U s S"; {}). 
We have two cases: 

- I i dom(S"). 

In this case, since S(l) = di (from the premises of E-PutVal), we know that [S Us S")(l) = d 2 . 
Therefore, by E-PutVal, (S U s S"; put Z {dj) < — > (S[l h-> di U d 2 ] U s S"'; {}), as we were required 
to show. 

- Z G dom(S"). 

Since 5(Z) = d 2 (from the premises of E-PutVal), we know that (SU S S")(l) = d 2 , where d 2 C d' 2 . 
We show that di U d 2 7^ T, as follows: 

* Since S[l ^ d x U d 2 ] U s 5" 7^ T 5 , we know that (S[l h-> di U d 2 ])(Z) U S"'(Z) ^ T. 

* Therefore, we have: 

(S , [^diUd 2 ])(/)US"'(0 
= di U d 2 U S"(Z) (since (S[l h-> d x U d 2 ])(Z) = d x U d 2 ) 

= di U 5(0 U S"(l) (since S(Z) = d 2 ) 

= S(l) u s"'(Z) u di 
= d!U(5Us S")(0 
= di U d' 2 

Since (5 U s S")(l) = d' 2 and di U d' 2 7^ T, by E-PutVal we have that 

(S U S S"; putZ {rfi}) ((5 Us S'OI^diUdf,]; {}). 

It remains to show that (S U s S")[l h-> di U d 2 ] is equal to S[Z i-> di U d 2 ] U s 5". 
By Definition[9] to show that the stores are equal, we have two requirements to satisfy: 

* dom((S Us S")[l h-> di U d 2 ]) = dom(S[Z i-> di U d 2 ] U s 5"), and 

* for all V, ((5 Us S")[Z ^ d x U d' 2 ])(Z') = (S[l ^ d 1 U d 2 ] U s S"')(0- 
The first requirement follows from the observation that 

dom{(S U s S")[l ^ di U d' 2 \) = dom(S U s S") U {1} 

= dom(S) U {1} U dom(S") 

= dom(S[l h-> di U d 2 ]) U dom(S") 

= dom(S[l ^ dx U d 2 ] U s dom(S")). 

For the second requirement, we have two cases to consider: 
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* I'^t.ln this case, bindings for Z are irrelevant, so 

((S U S S")[l ~ di U d' 2 ])(l') = (S U S S")(l') 

= (S[Z i-> d! u da] U S S")(0> 

as required. 

* Z' = Z: In this case, we have ((5 U s S")[l ^ di U d' 2 ])(Z) = di U d' 2 . 

We show that (S[l i-^ diU d 2 ] U5 S")(l) is also equal to di U d' 2 , as follows: 

(S[Z i-» di U da] U 5 S")(Z) - ^ di U d 2 ])(Z) U S*"(Z) 

= d x U d 2 U S"'(Z) 
= di U U S"'(Z) 
= di U 5(Z) U S"'(Z) 
= d 1 U(Su s S")(Z) 
= di U d 2 

Therefore we have that (5 U s 5"; put I {di}) < — ► (5[Z di U d 2 ] U 5 S"; {}), as required. 

• Case E-GetVal: 

Given: (S; get I Q) <-^> (S; {di}), and S 1 U s S" ^ T s . 
To show: (S 1 U s 5"; get Z Q) < — ► (S 1 U s S"; {di}). 

Since 5(Z) = d 2 (from the premises of E-GetVal), we know that (S U s S")(l) = d' 2 , where d 2 E d' 2 . 

From the premises of E-GetVal, we also have that d\ e Q and that di Cd 2 . Since d 2 C d 2 , we have that 
di C d' 2 . Therefore, by E-GetVal, we have that (SU S S"; getZQ) 5 — ► (SU S S"; {di}), as we were required 
to show. 

(Intuitively, get Z Q is asking if the value of S(l) is at least the value of d\. Once that is true, it will remain so 
under increasing S, since the value of S(l) can only increase as 5 increases.) 

• Case E-ConvertVal: 

Given: (S; convert Q) < — > (S; 6(Q)}, and S U s S" 7^ T s . 
To show: (S U s S"; convert Q) < — ► (S U s S"; S(Q)). 
Immediate by E-ConvertVal. 

□ 



A.4 Clash 

Lemma 4 (Clash). If (S; e) < — > (5'; e') (where (S 1 ; e!) ^ error), ffren for all S" such that S" is non-conflicting 
with (S; e) < — ► (S"; e') and S" U s S" = T s : 
(SU S S*"; e) terror. 

Proof. Consider arbitrary S" such that S" is non-conflicting with (S; e) < — ► (5'; e') and S" U s S" ^ T s . To show: 
(SU S S"; e) terror. 

The proof is by induction on the derivation of (S; e) < — ► (S"; e'), by cases on the last rule in the derivation. Since 
(S'; e') 7^ error, we only need to consider rules that step to non-error configurations. 

• Case E-Refl: 

Given: (S; e) < — ► (5; e) and 5 U s S" = T s . 

To show: (S U s S"; e) < — ► error. 

Immediate by E-ReflErr since (T5; e) = error. 
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Case E-ParApp: 

Given: (S; e x e 2 ) < — > (S[ U s S 2 ; e'{ e' 2 ), S" is non-conflicting with (S; e x e 2 ) < — ► (ST_ U s S 2 ; ef e' 2 ), and 
(SI U S S 2 ) U S S" = T S . 

To show: (5 U s S"; e x e 2 ) < — ► error. 

From the premises of E-ParApp, we have that (S; ei) 1 — > (Si; e^), (S; e 2 ) c — ► (S 2 ; e ' 2 )' and {Si> e i ) = 
rename((Si; e' 1 ),S 2 ,S). 

At least one of the following situations must occur: 

- #1 U s S" = T s . Then, by IH, (S U s S"; e x ) < — > error. Therefore, by E-AppErr-1, we have that 
(S U s S"; ei e 2 ) 1 — ► error, as required. 

- #2 U s S" = T s . Then, by IH, (S U s S"; e 2 > 5 — > error. Therefore, by E-AppErr-2, we have that 
(S U s S"; ei e 2 ) 1 — ► error, as required. 

- Sj U S S" ^ T s and S 2 U s S" # T s . 

In this case, since S 2 Us S" 7^ Ts, we have that S 2 7^ Ts. Therefore, since (S; e±) c — ► (Si; e^), by 
Lemma|2] we have that (S; e\) c — > rename((S\\ e' 1 ),S 2 ,S). Since (ST; e'{) = rename({S\\ e' 1 ),S 2 ,S), 
we have that (S; ei) < — ► (S[; e'/). 

We have from premises that S" is non-conflicting with (5; e\ e 2 ) c — > (S\ Us S 2 ; e'{ e' 2 ), so, by Defini- 
tion|5] (rfom(5[U s 5 2 )-dom(5))nrfom(5") = 0. Therefore (dom(S[)-dom(S))ndom(S") = 0, and 
so 5"' is non-conflicting with (S; e x ) 5 — * (ST; ef ). Likewise, (dom(S 2 ) - dom(S)) H dom(S") = 0, 
and so S" is non-conflicting with (S; e 2 ) 1 — ► (S 2 ; e 2 ). 

Therefore, by Lemma[3] we have that (S U s S"; ei) < — ► (S[ U s S"; ef ) and that (S U s S"; e 2 ) < — > 
(S 2 U s S";e 2 ). 

Since (S[UsS 2 )U s S" = T 5 , we have that (S[UsS")U s (S 2 UsS") = T s . Therefore, by E-ParAppErr, 
we have that (S U s S"; e x e 2 ) < — > error, as required. 

CaseE-PUT-1: 

Given: (S; put e x e 2 ) c — > (Si; put ei e 2 ), and Si U s S" = T s . 
To show: (S Us S"; put e x e 2 ) 5 — ► error. 

From the premise of E-Put-1, we have that (S; ex) c — > (Si; e^). 

Since Si U s S" = T s , by IH, we have that (S U s S"; ei) = — ► error. 

Therefore, by E-PutErr-1 we have that (S U s S"; put ei e 2 ) = — > error, as required. 

Case E-PUT-2: 

Given: (S; put e 1 e 2 ) < — ► (S 2 ; put ei e 2 ), and S 2 U s S" = T s . 
To show: (S Us S"; put e\ e 2 ) c — ► error. 

From the premise of E-Put-2, we have that (S; e 2 ) c — > (S 2 ; e 2 ). 

Since S 2 U s S" = T s , by IH, we have that (S U s S"; e 2 ) < — ► error. 

Therefore, by E-PutErr-2 we have that (S U s S"; put ei e 2 ) c — > error, as required. 

Case E-Get- 1 : Analogous to E-Put- 1 . 

Case E-Get-2: Analogous to E-Put-2. 

Case E-Convert: 

Given: (S; convert e) < — > (S'; convert e') and S' U s S" = T s . 
To show: (S Us S"; convert e) 5 — > error. 

From the premise of E-CONVERT, we have that (S; e) c — ► (S'; e'). 
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Since S' U s S" = T s , by IH, we have that (S U s S"; e) < — > error. 

Therefore, by E-ConvertErr we have that (S U s S"; convert e) < — > error, as required. 

• Case E-Beta: 

Given: (S; (Xx, e) v) < — > (S; e[x := v]) and S U s S" = T s . 

To show: (S U s S"; (Xx. e) v) < — > error. 

Immediate by E-ReflErr since (Ts; (Xx. e) v) — error. 

• Case E-New: 

Given: (S; new) c — ► (S[l h-> _L]; I) (where I g dom(S)), S" is non-conflicting with (S; new) < — ► (S[l h-> 
_L]; /), and S[l ^ 1] Ug S" = T s . 

To show: (S U s S"; new) c — ► error. 

By E-New, (S U s S"; new) < — ► ((S U s S"')[Z' >-> -L]; /')> where J' £ <fom(S U s S"). One of the following 
two possibilities must hold: 

- V = I. 

In this case, we immediately have that (S U s S"; new) < — ► ((S U s S")[l i-> _L]; l). 

- I'^l. 

In this case, we apply Lemma[T]to (S U s S"; new) < — ► ((S U s S")[l' h-> _L]; Z') and {/'}. Therefore, for 
all Z" such that I" % dom((S U s S") [V i-> _L]), 

(5 U S 5"; new) (SW tocs [Z" ^ ((5 U s S")[Z' ^ ±])(Z')]; i'P' := H) 

= (SoldlocS" l— * -LJj O' 

where S 0 uiocs is defined as follows: dom(S 0 ui 0 cs) — dom(S Us S"), and for all I G dom(S 0 idi 0 cs), 
S oldlocs (l) = ((Su s S")[V ~ 

Note that since I' dom(S Us S"), S 0 idi 0C s(l) = (S Us S")(l) for all Z S dom(S 0 idiocs)- Therefore, since 
dom(S 0 idiocs) — dom(S Us S") and S 0 idi ocs (l) — (S U s S")(l) for all I e dom(S 0 idi ocs ), the conditions of 
Definition |9] are satisfied, and S 0 idfocs — S Us S". 

Therefore, we have that for all I" such that I" <£ dom((S U s S") [V i-> _L]), 

(S U S S"; new) ((5U S S")[Z" .-!.]; I"). 

Instantiate the above with I. Since S" is non-conflicting with (S; new) < — > 1— ► _L]; Z), we know that 
I ^ dom(S"), and we have from the side condition of E-New that I ^ dom(S). Therefore I dom(S Us 
S"), and since I ^ V, we have that 1$ dom((SU s S")[l' h-> _L]). Therefore, (5U S S"' ; new) < — ► ((5U S 
S")[l~±]; I). 

So, regardless of whether V = I or /' ^ /, we can conclude (5 U s 5"; new) = — > ((SU S S")[l ^> _L]; I). Then, 
since 5" is non-conflicting with (S; new) 5 — > _|_]; I), we have that I ^ dom(S"), and we have from 

the side condition of E-New that / ^ dom(S). Therefore, we have: 

(SU S S")[l ^ _L] = S[l ^ -L] U s S"[i ^ _L] 

= S Ug [I 1 — ► _L] U S S*" Us [1 1 — ^ -L] 
= 5 Us ±] Us 5" 
= ST[Z 1 ^ ±] U S 5" 
= T S . 

Therefore, since (Ts; I) = error, we have that (S Us S"; new) 1 — ► error, as we were required to show. 
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• Case E-PutVal: 

Given: (S; put I {dj) < — > (S[l h^U d 2 ]; {}) and S[l d x U d 2 ] U s S" = T s . 
To show: (S U s S"; put I {di}) < — > error. 
One of the following must be the case: 

- S U s S" = T s . In this case, the proof is immediate by E-ReflErr, since (T s ; put I {d±}) = error. 

- S Lis S" ^ Ts- In this case, we proceed as follows: 

Since S(l) = d 2 (from the premises of E-PutVal), we know that (S U s S") (I) = d' 2 , where d 2 C d! 2 . 
We show that d\ U d' 2 — T, as follows: 

* Since S[l d\ U d 2 ] U s S" — T s , we know that there exists some I' e dom(S[l \— > di U d 2 ]) H 
dom(S"') such that (5[Z ^ di U d 2 ])(Z') U £"(/') = T. 

* If I' ^ I, then (S[l i— » di U d 2 ])(Z') would be equal to 5(Z'), because the binding for Z would be 
irrelevant. We would then have (S[l ^d 1 U d 2 ])(l') U S"(l') = S(l') U S"(l') = T, a contradiction 
since 5 Us S"' 7^ T s . Therefore it must be the case that I' = I, so we have that (S[l d\ U d 2 ])(Z) U 
S"(l) = T. 

* Therefore, we have: 

T = {S[l^d 1 Ud 2 ])(l)US"(l) 
= d l Ud 2 US"{l) 
= di U 5(0 U S*"(0 
= di U S(l) U S"'(0 
= diu(su s s")(z) 

= di U d 2 

Therefore, since (SU S S")(Z) = d 2 anddiUd 2 = T,by E-PutValErr we have that (SU S S"; put Z {di}) 
error, as required. 

• Case E-GetVal: 

Given: (S; get I Q) < — ► (S 1 ; {dj) and 5 U s 5" = T s . 

To show: (S U s S"; get I Q) < — ► error. 

Immediate by E-ReflErr since (Ts; get Z Q) = error. 

• Case E-ConvertVal: 

Given: (S; convert Q) < — ► (S; (5(g)) and S U s 5"' = T s . 

To show: (S U s S"; convert Q) < — ► error. 

Immediate by E-ReflErr since (Ts; convert Q) = error. 

□ 

A.5 Error Preservation 

Lemma 5 (Error Preservation). If(S; e) = — ► error and S C s 5", then (S 1 ; e) = — > error. 

Proo/ Let 5 Cs S" and proceed by induction on the derivation of (S; e) = — ► error. We only need to consider the 
reduction rules that step to error. 



(since (S[l ^> d 1 U d 2 ])(Z) = di U d 2 ) 
(since S(Z) = d 2 ) 
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Case E-AppErr-1: 

Given: (S; e\ e 2 ) c — ► error. 

To show: (S'\ e% e 2 ) c — > error. 

From the premise of E-AppErr-1 we have that (S; et) c — ► error. Since 5 U s <S"i we have by the induction 
hypothesis that (S"; ei) 5 — > error. Therefore, by E-AppErr-1, we have that (S 1 ; e\ e 2 ) c — > error, as 
required. 

Case E-AppErr-2: Analogous to E-AppErr-1. 
Case E-ParAppErr: 

(NB: For simplicity, we elide renaming throughout this case and assume that configurations can be renamed to 
meet non-conflicting requirements.) 

Given: (S; e\ e 2 ) c — ► error. 

To show: (S'\ e\ e 2 ) < — > error. 

From the premises of E-ParAppErr, we have that: 

- (S; ei ) (Sf, ei), 

- (S; e 2 ) (S 2 ; e 2 ),and 

- Si Ug S 2 = Tg. 

At least one of the following situations must occur: 

- St U S S' = T s . 

In this case, since (S; et) c — » (St] e'j), and Si Lig S' = Tg, we have from Lemma [4] that (S Ug 
S'; et) 5 — > error. Since S U s S', S Ug S' = S', so we have that (S 1 ; ei) 5 — > error. Therefore, by 
E-AppErr-1, we have that (S'; e\ e 2 ) c — > error, as required. 

- S 2 Ug S — Tg. 

In this case, since (S; e 2 ) 5 — > (S^; e 2 ), and 5 2 Ug S' — Tg, we have from Lemma [4] that (5 Ug 
S"; e 2 ) 5 — ► error. Since 5 E s S', S Ug 5' = S', so we have that (S 1 ; e 2 ) 5 — > error. Therefore, by 
E-AppErr-2, we have that (S'; e\ e 2 ) c — > error, as required. 

- St Ug S' + Tg and S 2 Ug S' + Tg. 

In this case, since (S; et) 1 — > (St', e[) and SiUgS' ^ Tg, we have from Lemma|3]that (SUgS'; et) c — > 
(Si Ug S'; e[). Likewise, since (S; e 2 ) 1 — ► (S^; e 2 ) and S 2 Ug S' ^ Tg, we have from Lemma[3]that 

(SUsS';e 2 )^(S 2 U s S';e' 2 ). 

Since S U s S", 5U S 5' = 5', so we have that (£"; e x ) = — ► (5i U 5 5'; ei) and (S'; e 2 ) = — > (S 2 U s 
S'; e' 2 ). 

Since St U s S 2 = Tg, we have that St U s S' U s S 2 U s S' = Tg. Therefore, by E-ParAppErr, we have 
that (5"; ei e 2 ) e — > error, as desired. 

Case E-PutErr- 1 : Analogous to E-AppErr- 1 . 

Case E-PutErr-2: Analogous to E-AppErr-1. 

Case E-GetErr-1: Analogous to E-AppErr-1. 

Case E-GetErr-2: Analogous to E-AppErr-1. 

Case E-ConvertErr: 

Given: (S; convert e) 5 — ► error. 

To show: (S'\ convert e) 1 — > error. 
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From the premise of E-ConvertErr we have that (S; e) c — ► error. Since S C s S', we have by the induction 
hypothesis that (5"; e) c — ► error. Therefore, by E-ConvertErr, we have that (S 1 ; convert e) c — ► error, as 
required. 

• Case E-PutValErr: 

Given: (S; put I {rfi}) 5 — > error. 
To show: (S"; put I {di}) 1 — ► error. 

Since S(Z) = d 2 (from the first premise of E-PutValErr), we know that S'(l) — d' 2 , where d 2 E d' 2 . Since 
diUd 2 = T, we have that diU d' 2 = T. Therefore, by E-PutValErr, (S'; pull {di}) c — > error, as required. 

□ 

A.6 Diamond 

Lemma 6 (Diamond). If a c — ► er a ant/ cr c — ► cr/,, f/zen f/zere ex/ifi cr c 5mc/z f/iaf either: 

• er a 5 — ► cr c an<i <Tft c — > a c , or 

• there exists a safe renaming a' b of with respect to a = — > <Jb, such that a a 1 — ► a c and a' h 5 — > a c . 

Proof. By induction on the derivation of a 5 — ► a a , by cases on the last rule in the derivation. For all cases except the 
E-New case, we prove the first disjunct; in the E-New case, we prove the second disjunct. 

Where necessary, we use a "left/right" naming convention for subcases of the proof. For instance, the subcase 
E-ParApp/E-Refl is the case where the last rule in the derivation of a 1 — ► a a (the "left" side of the diamond) is 
E-ParApp and the last rule in the derivation of a 5 — ► (the "right" side of the diamond) is E-Refl. 

A.6.1 E-Refl 

• E-Refl: a = (S; e), and a a = (S; e). 
Given: 

- (S; e) < — ► (S; e), and 

- (S; e) ' — ► <r b . 

To show: There exists <r c such that 

- (S; e) = — ► ct c , and 

- Ub 5 — > cr c . 

For all subcases E-Refl/*, choose a c = 
To show: 

- (S; e) = — ► Cb, which is immediate from our assumptions, above, and 

- Ob 5 — ► Ob, which follows from either E-Refl or E-ReflErr. 

A.6.2 E-ParApp 

• E-ParApp: a = (S; e\ e 2 ), and o a = (Si U s S 2 ; e[ e' 2 ). 

(NB: For simplicity, we elide renaming throughout this case and assume that configurations can be renamed to 
meet non-conflicting requirements.) 

Given: 
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- (S; ei ea) ^ (Si U s S 2 ; ej e' 2 ), and 

- (S; ei e 2 ) < — ► <r b . 

To show: There exists cr c such that 

- (Si U s S 2 ; e' x e 2 ) < — ► a c , and 

- o-fc 5 — > a c . 

From the premises of E-ParApp, we have the following facts: 

- (S; ei ) (S l5 ei); 

- (S; e 2 ) (S 2 ; e 2 );and 

- Si U S S 2 7^ T s . 

We proceed by subcases, on the last rule in the derivation of (S; e\ e 2 ) c — ► a b . By the operational semantics, 
there are six possibilities: E-ParApp/E-Refl, E-ParApp/E-ParApp, E-ParApp/E-Beta, E-ParApp/E- 
AppErr-1, E-ParApp/E-AppErr-2, and E-ParApp/E-ParAppErr. 

- E-ParApp/E-Refl: 

Analogous to the E-Refl/E-ParApp case, with a a and u b reversed. 

- E-ParApp/E-ParApp: 

In this case, we have the following facts: 

* a b — (St x Us Sb 2 ; e bl e& 2 )> 

* (S; ei) < — ► (S bl ; e bl ), 

* (S; e 2 ) < — > (S b2 ; e b2 ), and 

* S bl U s Sb 2 i= Tg. 

Since (S; e\) c — ► (Si; e\) and (S; ei) c — > (S bl ; e bl ) (from above), we have by IH that there exists 
a Cl such that (Si; e[) c — > a Cl and (S bl ; e bl ) c — ► cr Cl . Either <r Cl is error, or it is some non-error 
configuration (S Cl ; e Cl ). 

Similarly, since (S; e 2 ) c — > (S 2 ; e' 2 ) and (5; e 2 ) 1 — ► (S't,^, ; e& 3 ), we have by IH that there exists a C2 such 
that (S 2 ; e 2 ) c — > a C2 and (S& 2 ; e(, 2 ) 5 — > a C2 . Either <t C2 is error, or it is some non-error configuration 

(S C2 , e C2 ). 

We're required to show that there exists a c such that 

* (Si U s S 2 ; e'x e' 2 ) c — > a c , and 

* (Sbi Us Sb 2 ; e bl e b2 ) < — ► a c . 

We consider possibilities [T] [2] and [3] at least one of which must hold. We will show that in [Tj [2] [3a] [3b] 

and 3c a c — error, and in|3d| a c = (S Cl Us S C2 ; e Cl e C2 ). 



1. a Cl — error. 

Then, since (Si; e[) < — ► error, we have by E-AppErr-1 that (Si; ef t e' 2 ) c — ► error. Then, by 
Lemma [5] (Si U s S 2 ; e' x e 2 ) 1 — ► error. Likewise, since (S^; e^) 1 — ► error, we have by E- 
AppErr-1 that (S bl ; e bl e b2 ) c — ► error, and again by Lemma[5] we have that {S bl UsS b2 ; e b2 ) c — 
error. Therefore a c — error. 

2. ct C2 = error. 

An argument analogous to the above applies, this time appealing to E-AppErr-2. Therefore a c = 
error. 

3. a Cl ^ error and a C2 ^ error. 

C2 ! e C 2 )' 



Then a Cl = (S Cl ; e Cl ), and a C2 = (S, 
At least one of the following four possibilities must hold: 
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(a) S C1 U S S 2 = T s . 
Then, since (Si; 



(S Cl ; e Cl ), by Lemma [4] we have that (Si Us S 2 ; e'i) 



— > error. 

following 

> error. 



Therefore, by E-AppErr-1, (Si Ug S 2 ; e\ e' 2 ) c — ► error. 

Next, we show that (S bl U g S b2 ; e bl e ba ) must step to error, as well. At least one of the 
three possibilities must hold: 

i- S Cl Us Sb 2 — T s . 

Then, since (S bl ; e bl ) 1 — ► (S C1 ; e Cl ), by Lemma|4]we have that (Sb 1 Us Sb 2 ', e bl ) c 
Therefore, by E-AppErr-1, (S bl U s Sb 2 ; e bl e b2 ) c — ► error. 

ii. S bl Li s S C2 — T s . 
Then, since (S b2 ; e b2 ) c — > ($c 2 ! e c 2 

), by Lemma|4]we have that (S bl U s S b2 ; e b2 ) <• 
Therefore, by E-AppErr-2, (S bl U s S b2 ; e bl e b2 ) c — ► error. 

iii. S Cl Us S b2 ^ T s and S bl U s S C2 # T s . 
Then, since (S bl ; e bl ) < — ► (S Cl ; e Cl ) and (S b2 ; e &2 ) < — > (S C2 ; e C2 ), we have by Lemma [5] 



error. 



that (S bl Us S b2 ; e bl ) < — > (S Cl U s S b2 ; e Cl ) and (S bl U s S b2 ; e ba ) < — > (S bl U< 
But since S Cl Us S2 = Ts, we have that S Cl Us S C2 — Ts, since S 2 U s S C2 . 
And since S Cl Us S C2 = Ts, we have that: 

(5*01 Us Sb 2 ) Us (S bl Us S C2 ) = S Cl Us S C2 Us S bl Us S b2 

= T s U S S bl Us S b2 



<S'c2 i e c 2 / 



= T S . 

Therefore, E-ParAppErr applies, and (S bl Us Sb 2 ; e bl e b2 ) 
Therefore, in this case, a c = error, 
(b) Si Us S C2 = T s . 



error. 



Then, since (S 2 ; 



(S c 



by Lemma |4] we have that (Si Us S; 



2; e 2 ) 



error. 



Therefore, by E-AppErr-2, (Si U s S 2 ; e[ e' 2 ) < — ► error. 
Next, we show that (Sb 1 Us Sb 2 ; e bl e ba ) must step to error, as well. At least one of the following 
three possibilities must hold: 

i- S Cl Us Sb 2 — Ts. 

Then (S bl Us S b2 ; e bl e b2 ) 
ii. S bl Us S C2 = Ts- 

Then (S bl U s S b2 ; e bl e b2 ) 



error by the same argument as 3(a)i 



error by the same argument as 3(a)ii 



iii. S C1 Us S b2 + Ts and S bl U s S C2 ? T s . 



Then the argument of 3(a)iii applies, with the modification that, since Si Us S C2 = Ts, we 



have that S Cl U s 



S C2 = T s , since S x C s 



Sr. 



So, (S bl Us S b2 ; e bl e b2 ) < — ► error. 
Therefore, in this case, a c = error, 
(c) S C1 Us S 2 ^ T s , Si Us S C2 ^ Ts, and (S Cl U s S 2 ) U s (Si U s S C2 ) 



Then, since (Si 

(Si Us S 2 ; ei) 



(<Sci ; 



and (S 2 



(S C1 Us S 2 ; e Cl ) and (Si U s S 2 ; e' 2 



(S C2 ; e C2 ), we have by Lemma [3] that 



<5i Us *Sc 2 j e c 2 )- But since 



(S Cl U s S 2 ) U s (Si Us S C2 ) = T s , we have by E-ParAppErr that (Si U s S 2 ; e[ e' 2 



error. 



Next, we show that (S bl Us S b2 ; e bl e b2 
three possibilities must hold: 

i- S Cl Us Sb 2 = Ts. 

Then (S bl U s S b2 ; e bl e b2 ) ■ 



must step to error, as well. At least one of the following 



error by the same argument as 3(a)i 



S bl Us S C2 — Ts. 

Then (S bl U s S ba ; e bx e b2 



error by the same argument as 3(a)ii 



iii. S C1 Us S b2 ^ Ts and S^LJs S C2 ^ T s . 



Then the argument of 3(a)iii applies, with the modification that, since (S Cl Us S 2 ) Us (Si Us 



S C2 ) = Ts, we have that S Cl Us S c . 2 — Ts, since Si U s S Cl and S 2 C_s S c , 
So, (S bl Us S b2 ; e bl e b2 ) < — ► error. 
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Therefore, in this case, a c = error, 
(d) S Cl U S S 2 T s , Si U S S C2 ? T s , and (S Cl U s S 2 ) U s (S 1 U s S C J ? T s . 

Then, since (Si; e[) c — ► (S Cl ; e Cl ) and (S2; e 2 ) c — ► (S G2 ; e C2 ), we have by Lemma |3] that 

(Si U S S 2 ; e[) (S C1 Us S 2 ; e Cl ) and (Si U s S 2 ; e 2 ) (Si U s S C2 ; e C2 ). 

So, by E-ParApp, we have that (S x U s S 2 ; e' x e' 2 ) < — ► ((S Cl U s S 2 ) U s (Si U s S C2 ); e Cl e C2 ). 

Since Si U s S Cl and S 2 U s S C2 , we can simplify (S Cl Us S 2 ) U s (Si U s S C2 ) to S Cl U s S C2 , so 

we have that S Cl U s S C2 7^ T s , and (Si U 5 S 2 ; ei e 2 ) < — ► (S Cl U s S C2 ; e Cl e C2 ). 

Next, we show that (S bl UsS ba ; e b2 ) must step to (S Cl UsS C2 ; e ci e C2 ),aswell. At least one 

of the following possibilities must hold: 

i- S Cl Us S b2 = Ts. 

Can't happen, because if it were true, we would have S Cl Us S C2 = Ts (since Sb 2 Us S C2 ), 
which would contradict S Cl Us S C2 7^ Ts, above. 

ii. S bl Us S C2 = Ts. 

Can't happen, because if it were true, we would have S Cl Us S C2 = Ts (since S bl U s S Cl ), 
which would contradict S Cl Us S C2 7^ Ts, above. 

iii. S C1 Us S b2 ^ T s and S bl U s S C2 + T s . 

Then, since (S bl ; e 6l ) 5 — * (S Cl ; e Cl ) and (S b2 ; e ba ) < — ► (S C2 ; e C2 ), we have by Lemma [5] 
that (S bl Us S fc2 ; e bl ) <^-» (S Cl U s ) and (S bl Us S b2 ; e b2 ) <-^> (S bl U s S C2 , e C2 ) . 

Then, since S Cl Us S C2 7^ Ts and S bl U s S Cl and S b2 U s S C2 , we have that (S Cl Us S b2 ) Us 
(S bl UsS C2 ) 7^ Ts. Therefore, E-ParApp applies, and we have that (S bl UsS ba ; e bl e b2 ) c — ► 
((S C1 U s S b2 ) U s (S 6l U s S C2 ); e Cl e C2 ). Since (S Cl U s S b J U s (S bl U s S C2 ) simplifies to 
S Cl Us S C2 , we have that (S bl U s S b2 ; e bl e b2 ) < — > (S Cl U s S C2 ; e Cl e C2 ). 
Therefore, in this case, cr c = (S Cl U s S C2 ; e Cl e C2 ). 

- E-ParApp/E-Beta: 

In this case, we have the following facts: 

* (S; ei e 2 ) = (S; Ax. en v) for some en and some value v; and 

* a b = (S; en[x := v]). 

We're required to show that there exists <j c such that 

* (Si Us S 2 ; e' x e' 2 ) c — > a c , and 

* (S; en[i := v]) c — ► a c . 

Choose a c = (S; en[x :— v]). We have from E-Refl that (S; en[i := v]) c — ► (S; en [a; := «]), so it 
remains to show that (Si Us S 2 ; e[ e' 2 ) c — > (S; en[i := v]). 

From the premises of E-ParApp, we have that (S; ei) c — ► (Si; e[) and (S; e 2 ) < — ► (S 2 ; e' 2 ). But 
ei = Ax. en, a value, and e 2 = v, a value. So it must be the case that ei = e[, e 2 = e 2 , and S = Si = S 2 . 
Therefore, (Si Us S 2 ; e' 2 ) = (S; Am. en w), so we have only to show that (S; ei e 2 ) c — ► (S; en[x := 
v]), which is immediate by E-Beta. 

- E-ParApp/E-AppErr-1: 

In this case, we have the following facts: 

* (i b = error; 

* (S; ei) 1 — ► error (from the premise of E-AppErr-1). 
We're required to show that there exists a c such that 

* (Si Us S 2 ; e' x e' 2 ) c — > (T c , and 

* error c — > er c . 

Choose cr c = error. We have immediately that error < — > error by E-ReflErr, so it remains to show 
that (Si Us S 2 ; ei e 2 ) < — ► error. 



39 



Since (S; e\) < — ► error and (S; ei) c — ► (Si; e[) (from the premises of E-ParApp, above), we have by 
IH that there exists a Cl such that error < — > a Cl and (Si; e[) c — ► a Cl . Since error can only step to error, 
a Cl = error. 

Therefore, (Si; e[) c — ► error, so we have that (Si; e[ e' 2 ) c — > error by E-AppErr-1, and therefore 
(Si Ug S2; e'i e 2 ) ' — > error by Lemma [5] as we were required to show. 

- E-ParApp/E-AppErr-2: 

In this case, we have the following facts: 

* (j b = error; 

* (S; e 2 ) c — ► error (from the premise of E-AppErr-2). 
We're required to show that there exists a c such that 

* (Si U s S 2 ; e'i e 2 ) = — > a c , and 

* error c — > a c . 

Choose a c = error. We have immediately that error < — > error by E-ReflErr, so it remains to show 
that (Si Us S 2 ; e[ e 2 ) c — ► error. 

Since (S; e 2 ) 1 — ► error and (S; e 2 ) 1 — ► (S 2 ; e 2 ) (from the premises of E-ParApp, above), we have by 
IH that there exists a C2 such that error c — > a C2 and (S 2 ; e 2 ) 5 — ► a C2 . Since error can only step to error, 
a C2 = error. 

Therefore, (S 2 ; e 2 ) 5 — ► error, so we have that (S 2 ; e'i e' 2 ) c — ► error by E-AppErr-2, and therefore 
(Si Us S 2 ; e'i e' 2 ) ' — ► error by Lemma|5] as we were required to show. 

- E-ParApp/E-ParAppErr: 

In this case, we have the following facts: 

* (76 = error; 

* (S; ei) c — > (Sbj ; e^) for some St 1 and e bl (from the first premise of E-ParAppErr); 

* (S; e 2 ) c — > (Sb 2 ; €b 2 ) for some Sfc 2 and e b2 (from the second premise of E-ParAppErr); 

* Sbj Us Sh 2 = Ts (from the third premise of E-ParAppErr). 
We're required to show that there exists a c such that 

* (Si U s S 2 ; e'i e 2 ) 1 — > cr c , and 

* error c — > cr c . 

Choose ct c = error. We have immediately that error < — > error by E-ReflErr, so it remains to show 
that (Si Us S 2 ; e' x e 2 ) = — > error. 

Since (S; ei) c — > (Si; e'i) (from the first premise of E-ParApp) and (S; ei) 5 — > (Sfcj; ebj, and since 
(S; e 2 ) 5 — ► (S 2 ; e 2 ) (from the second premise of E-ParApp) and (S; e 2 ) 1 — > (Sb 2 ; et 2 ), we have by IH 
that there exist cr Cl and a C2 such that (Si; e^) e — > cr Cl and (S bl ; e bl ) ' — ► cr Cl , and that (S 2 ; e' 2 ) 5 — > cr C2 
and (S b2 ; e b2 ) 5 — ► cr C2 . 

We consider the following possibilities, at least one of which must hold: 

* a Cl = error. 

In this case, since (Si; e'i) 5 — > error, we have by E-AppErr-1 that (Si; e' 2 ) 1 — > error. There- 
fore, by Lemma|5] we have that (Si Us S 2 ; e\ e 2 ) c — > error, as we were required to show. 

* a C2 = error. 

In this case, since (S 2 ; e 2 ) 5 — > error, we have by E-AppErr-2 that (S 2 ; e[ e 2 ) c — ► error. There- 
fore, by Lemma|5] we have that (Si Us S 2 ; e'i e 2 ) 1 — ► error, as we were required to show. 

* a Cl = (S Cl ; e ci ) ± error and ct C2 = (S C2 ; e C2 ) ^ error. 

In this case, at least one of the following three possibilities must hold: 
1. S Cl UsS 2 = T s . 

Since (Si; e' x ) c — > (S Cl ; e Cl ) andS Cl UsS 2 = Ts, we have by Lemma|4]that (SiUsS 2 ; e^) 1 — » 
error. Therefore, by E-AppErr-1, (Si U s S 2 ; e[ e 2 ) c — ► error, as we were required to show. 
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2. St U S S C2 = T s . 

Since (5 2 ; e' 2 ) c — ► (S C2 ; e C2 ) andSiUs5 C2 = Ts, we have by Lemma|4]fhat (SiUsSz; e' 2 ) c — ► 
error. Therefore, by E-AppErr-2, (Si U s S 2 ; e[ e' 2 ) < — > error, as we were required to show. 

3. S C1 U S 5 2 ^ T s and S x U s S C2 ^ T s . 

In this case, since (Si; e[) e — ► (5 Cl ; e Cl ) and S Cl Us S2 Ts, we have by Lemma[3]that 

(5*1 Us S 2 ; e' x ) < — ► (S Cl U s 5 2 ; e Cl ). 

Likewise, since (52; e 2 ) 5 — > (S C2 ; e C2 ) and Si Us S C2 ^ Ts, we have by Lemma|3]that (Si Us 

fa, e'2) ' — * (5i Us S C2 ; e C2 ). 

But since S^ Us 5 C1 and 5fc 2 U 5 5 C2 and S bl Us S b2 = Ts, it must be the case that 5 Cl Us 
5 C2 = Ts. Therefore we have that 

(5 C1 Us 5 2 ) U S (Si U S S C2 ) = 5 C1 Us 5 C2 = T s . So, by E-ParAppErr, (Si U s 5 2 ; ej e 2 ) 
error, as we were required to show. 



A.6.3 E-Put-1 



• E-PUT-1: cr = (5; put ei e 2 ), and a a = (Si; put d x e 2 ). 
Given: 

- (5; put ei e 2 ) < — ► (5i; put e 2 ), and 

- (5; put ei e 2 ) < — ► 07,. 

To show: There exists er c such that 

- (Si; put e[ e 2 ) 5 — ► a c , and 

- CT b 5 — > a c . 

From the premise of E-Put-1, we have that (5; ei) < — ► (5i; e^). 

We proceed by subcases, on the last rule in the derivation of (5; put ej e 2 ) e — ► 07,. By the operational 
semantics, there are seven possibilities: E-Put-1/E-Refl, E-Put-1/E-Put-1, E-Put-1/E-Put-2, E-Put- 
1/E-PutVal, E-Put-1/E-PutErr-1, E-Put-1/E-PutErr-2, and E-Put-1/E-PutValErr. 

- E-Put-1/E-Refl: 

Analogous to the E-Refl/E-Put-1 case, with a a and a b reversed. 

- E-PUT-l/E-PUT-1: 

In this case, we have the following facts: 

* (j b = (S bl ; put e bl e 2 ), and 

* (5; ei) < — ► (S bl ; e bl ). 

Since (5; ei) c — > (5i; e^) and (5; ei) 1 — ► (S bl ; e bl ), we have by IH that there exists <r Cl such that 
(Si; e'i) c — ► cr ci and (5^; e bl ) c — > cr Cl . Either er Cl is error, or it is some non-error configuration 

(5 Cl , e Cl ). 

We're required to show that there exists a c such that 

* (Si', put e[ e 2 ) 1 — ► a c , and 

* (5 6l ; put e bl e 2 ) 5 — > er c - 

We consider the following possibilities, one of which must hold. 
1. a Cl = error. 

Then, since (Si; e[) c — ► error, we have by E-PutErr-1 that (Si; put e[ e 2 ) 5 — ► error. Likewise, 
since (S bl ; e bl ) c — ► error, we have by E-PutErr-1 that (S bl ; put e bl e 2 ) < — ► error. Therefore 
(t c = error. 
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2- <T Cl — (^Ci'i e ci)- 

Then, since (Si; e[) < — > (S Cl ; e ci ), we have by E-Put-1 that (Si; put ei e 2 ) c — ► (S Cl ; pute Cl e 2 ). 
Likewise, since (S bl ; e bl ) 5 — ► (S Cl ; e Cl ), we have by E-Put-1 that (S bl ; put e bl e 2 ) c — ► (S Cl ; pute Cl 
Therefore a c = (S Cl ; put e Cl e 2 ). 

E-PUT-l/E-PUT-2: 

(NB: In this case we assume that configurations are renamed as necessary to meet non-conflicting require- 
ments.) 

In this case, we have the following facts: 

* a b = (S b2 ; put ei e b2 ), and 

* (S; e 2 ) c — > (S b2 ; e b2 ). 

We're required to show that there exists a c such that 

* (Si; put e[ e 2 ) < — > a c , and 

* (S b2 ; put ei e b2 ) < — > <r c . 

We consider the following two possibilities, one of which must hold: 

1. SiU s S b2 =T S . 

Since (5; e 2 ) c — ► (Sb 2 ', e b2 ) (from above), and since S\ Us Sb 2 — Sb 2 Us S\ = Tg, we have by 
Lemma[4]that (SU S Si; e 2 ) < — > error. 

Since S U 5 Si, we have that S Us Si = Si, so (Si; e 2 ) < — > error. 
Therefore, by E-PutErr-2, (Si; put e[ e 2 ) 5 — ► error. 

Similarly, since (S; ei) 5 — ► (Si; ei) (from the premise of E-Put-1), and since Si Us S b2 — Tg, we 

have by Lemma|4]that (S U s S b2 ; ei) c — > error. 

Since S U 5 S b2 , we have that S U 5 S b2 = S b2 , so (S b2 ; ei) c — ► error. 

Therefore, by E-PutErr-1, (S& 2 ; put ei e ba ) e — ► error. 

Therefore a c = error. 

2. Si Us S b2 + T s . 

Since (S; e 2 ) 5 — ► (S b2 ; e ba ) (from above), and since Si Us Sb 2 — Sb 2 Us Si ^ Ts, we have by 
Lemma|5]that (S U s S x ; e 2 ) (S b2 U s S t ; e b2 ). 

Since S U s Si, we have that S U s Si = Si, so (Si; e 2 ) < — > (S b2 U s Si; e b2 ). 
Therefore, by E-Put-2, (Si; put e[ e 2 ) < — ► (S b2 U s Si; put ei e b2 ). 

Similarly, since (S; ei) 5 — ► (Si; e[) (from the premise of E-Put-1), and since Si Us S b2 Tg, we 

have by Lemma[3]that (S Us S b2 ; ei) < — > (Si Us S b2 ; ei). 

Since S U 5 S ba , we have that S U s S b2 = S b2 , so (S ba ; ei) < — ► (Si U s S b2 ; e[). 

Therefore, by E-Put-1, (S b2 ; put e x e b2 ) ' — ► (Si U s S ba ; put e[ e b2 ). 

Therefore a c = (Si Us S ba ; put ei e b2 ). 
E-Put-1/E-PutVal: 
In this case, we have the following facts: 

* (S; put ei e 2 ) = (S; put I {di}), 

* cr b = (S[i 1 * di I — I d 2 ]; {}), and 

* S(Z) = d- 2 A di e D A d a U d 2 ^ T (from the premises of E-PutVal). 
We're required to show that there exists a c such that 

* (Si; put ei e 2 ) c — ► a c , and 

* (5pHf diUda]; {}) — <7 C . 

Choose cr c = (S[Z h-> di U d 2 ]; {}). We have from E-Refl that (S[l h-> di U d 2 ]; {}) 1 — ► (S[Z h-> di U 
d 2 ]; {}), so it remains to show that (Si; put ei e 2 ) c — ► (S[l i— > di U d 2 ]; {}). 

From the premise of E-Put-1, we have that (S; ei) c — ► (Si; ei). But ex = I, a value, so it must be the 
case that e x = ei and S = Si. Therefore, (Si; put ei e 2 ) = (S; put e\ e 2 ). Further, since ei = I and 
e 2 = {di}, (Si; put ei e 2 ) = (S; put I {di}). So we have only to show that (S; put / {di}) c — ► (S[Z i-> 
di U da]; {}), which is immediate by E-PutVal, since all of the premises hold. 
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- E-Put-1/E-PutErr-1: 

In this case, we have the following facts: 

* 07, = error, and 

* (S; e\) c — ► error (from the premise of E-PutErr-1). 
We're required to show that there exists a c such that 

* (Si; put e[ e 2 ) c — ► er c , and 

* error <■ — > a c . 

Choose cr c = error. We have immediately that error < — > error by E-ReflErr, so it remains to show 
that (Si; put e[ e 2 ) c — ► error. 

Since (S; e x ) c — > error and (S; e\) c — > (Si; e[) (from the premise of E-Put-1, above), we have by IH 
that there exists er Cl such that error e — > a Cl and (Si; e\) c — ► a Cl . Since error can only step to error, 
a ci = error. 

Therefore, (Si; e[) < — > error, so we have that (Si; put e[ e 2 ) c — > error by E-PutErr-1, as we were 
required to show. 

- E-Put-1/E-PutErr-2: 

In this case, we have the following facts: 

* Oh — error, and 

* (S; e 2 ) c — ► error (from the premise of E-PutErr-2). 
We're required to show that there exists a c such that 

* (Si; put e'i e 2 ) c — > a c , and 

* error c — ► a c . 

Choose cr c = error. We have immediately that error = — > error by E-ReflErr, so it remains to show 
that (Si; put e' x e 2 ) 1 — > error. 

Since (S; e 2 ) 5 — ► error, we have by E-PutErr-2 that (S; put e[ e 2 ) 5 — > error. So, since S C s Si, we 
have by Lemma|5]that (Si; put e[ e 2 ) ( — > error, as we were required to show. 

- E-Put-1/E-PutValErr: 

In this case, we have the following facts: 

* (S; put ei e 2 ) = (S; put / {di}), 

* Ub = error, and 

* S(Z) = d 2 A c?i e D A di U c? 2 = T (from the premises of E-PutValErr). 
We're required to show that there exists a c such that 

* (Si; put e'i e 2 ) c — > a c , and 

* error < — ► a c . 

Choose a c = error. We have from E-Refl-Err that error 1 — > error, so it remains to show that 
(Si; put e[ e 2 ) e — > error. 

From the premise of E-PUT-1, we have that (S; ei) 1 — > (Si; e^). But ei = I, a value, so it must be the 
case that ei = e'i and S = Si. Therefore, (Si; put e 2 ) = (S; put ei e 2 ). Further, since ei = Z and 
e 2 = {rfi}, (Si; put e'j e 2 ) = (S; put I {rfi}). So we have only to show that (S; put Z {c?i}) 5 — ► error, 
which is immediate by E-PutValErr, since all of the premises hold. 

A.6.4 E-Put-2 

• E-PUT-2: a = (S; put e\ e 2 ), and a a = (Si; put e\ e 2 ). 
Given: 
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- (S; put ei e 2 ) c — ► (S2; put ei e' 2 ), and 

- (5; putei e 2 ) < — ► cr h . 

To show: There exists a c such that 

- (52; put e\ e 2 ) « — ► (T C) and 

- CTfe « — ► cr c . 

From the premise of E-Put-2, we have that (S; e 2 ) c — ► (5 2 ; e 2 ). 

We proceed by subcases, on the last rule in the derivation of (S; put e\ e 2 ) c — ► ov By the operational 
semantics, there are seven possibilities: E-Put-2/E-Refl, E-Put-2/E-Put-1, E-Put-2/E-Put-2, E-Put- 
2/E-PutVal, E-Put-2/E-PutErr-1, E-Put-2/E-PutErr-2, and E-Put-2/E-PutValErr. 

- E-Put-2/E-Refl: 

Analogous to the E-Refl/E-Put-2 case, with a a and a b reversed. 

- E-PUT-2/E-PUT-1: 

Analogous to the E-Put-I/E-Put-2 case, with a a and a b reversed. 

- E-PUT-2/E-PUT-2: 

In this case, we have the following facts: 

* a h = (S b2 ; put e\ e b2 ), and 

* (S; e 2 ) < — > (S b2 ; e &2 ). 

Since (S; e 2 ) c — ► (S 2 ; e 2 ) and (S; e 2 ) c — > (S b2 ; ej, 2 ), we have by IH that there exists <r C2 such that 
(£2; e 2 ) 5 — ► cr C2 and (562; e b2 ) c — ► cr C2 . Either <r C2 is error, or it is some non-error configuration 

We're required to show that there exists a c such that 

* (S 2 ; put ei e 2 ) 1 — ► er c , and 

* (S b2 ; put ei e h2 > < — > er c . 

We consider the following possibilities, one of which must hold. 
1. a C2 = error. 

Then, since (S 2 ; e 2 ) 5 — ► error, we have by E-PutErr-2 that (S 2 ; put e\ e 2 ) < — ► error. Likewise, 
since (S b2 ; e b2 ) < — ► error, we have by E-PutErr-2 that (S b2 ; put ei e b2 ) c — > error. Therefore 
a c = error. 

2- <J C2 — (S C2 ; e C2 ). 

Then, since (S 2 ; e 2 ) 5 — ► (S C2 ; e C2 ), we have by E-Put-2 that (S 2 ; putei e' 2 ) < — > (S C2 ; putei e C2 ). 
Likewise, since (5b 2 ; e(, 2 ) c — > (5 C2 ; e C2 ), we have by E-Put-2 that (S b2 ; putei e b . 2 ) c — ► (5 C2 ; putei 
Therefore cr c = (5 C2 ; put e\ e C2 ). 

- E-Put-2/E-PutVal: 

In this case, we have the following facts: 

* (S; put ei e 2 ) = (S; put Z {cZi}}, 

* cr b = (S[Z 1 ► d\ I — I d 2 ]\ {}), and 

* S(Z) = d 2 A c?i g D A di U d 2 ^ T (from the premises of E-PutVal). 
We're required to show that there exists a c such that 

* (S 2 ; put ei e 2 ) 1 — > a c , and 

* (5[ii-»diUd2]; {})^ct c . 
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Choose a c = (S[l i-> d x U d 2 ]; {})■ We have from E-Refl that (S[Z i-> d x U d 2 ]; {}) c — ► (S[Z i-> d x U 
d 2 ]; {}), so it remains to show that (S 2 ; put ei e 2 ) 5 — ► h^U d 2 ]; {})■ 

From the premise of E-Put-2, we have that (5; e 2 ) c — ► (Sa; e 2 )- But e 2 = {di}, a value, so it must be 
the case that e 2 = e' 2 and 5 = S 2 . Therefore, (S' 2 ; put ei e' 2 ) — (S; put ei e 2 ). Further, since ej = / and 
e 2 = {di}, (S 2 ; put e x e 2 ) = (S; put Z {di}). So we have only to show that (S; put I {dx}) c — ► (<S[Z >-> 
di U d 2 ]; {}), which is immediate by E-PutVal, since all of the premises hold. 

- E-Put-2/E-PutErr-1: 

In this case, we have the following facts: 

* 07, = error, and 

* (S; ex) c — ► error (from the premise of E-PutErr-1). 
We're required to show that there exists <j c such that 

* (S 2 ; put ex e' 2 ) c — ► a c , and 

* error e — > a c . 

Choose cr c = error. We have immediately that error < — > error by E-ReflErr, so it remains to show 
that (52; put ex e' 2 ) c — > error. 

Since (5; ei) c — > error, we have by E-PutErr-1 that (S; put ei e 2 ) 5 — > error. So, since S C5 S* 2 , we 
have by Lemma|5]that (5 2 ; put ei e' 2 ) 1 — > error, as we were required to show. 

- E-Put-2/E-PutErr-2: 

In this case, we have the following facts: 

* (76 = error, and 

* (S'i e 2 ) c — ► error (from the premise of E-PutErr-2). 
We're required to show that there exists a c such that 

* (5 2 ; put ex e' 2 ) c — > <J C , and 

* error e — > a c . 

Choose cr c = error. We have immediately that error < — > error by E-ReflErr, so it remains to show 
that (S 2 ; put ei e 2 ) 1 — > error. 

Since (5; e 2 ) 5 — > error and (5; e 2 ) 5 — ► (5 2 ; e 2 ) (from the premise of E-Put-2, above), we have by IH 
that there exists <r C2 such that error 5 — ► a C2 and (5 2 ; e 2 ) 5 — > a C2 . Since error can only step to error, 
a C2 = error. 

Therefore, (S* 2 ; e 2 ) = — > error, so we have that (5 2 ; put ei e 2 ) 1 — > error by E-PutErr-2, as we were 
required to show. 

- E-Put-2/E-PutValErr: 

In this case, we have the following facts: 

* (S; put ex e 2 ) = (S; put I {dx}), 

* <T b = error, and 

* S(l) = d 2 A dx € D A dx U d 2 = T (from the premises of E-PutValErr). 
We're required to show that there exists cr c such that 

* (S 2 ; put ei e 2 ) c — > cr c , and 

* error c — > er c . 

Choose <t c = error. We have from E-Refl-Err that error 1 — > error, so it remains to show that 
(5 2 ; put ei e' 2 ) 5 — > error. 

From the premise of E-Put-2, we have that (S; e 2 ) 5 — > (5' 2 ; e 2 ). But e 2 = {di}, a value, so it must be 
the case that e 2 = e' 2 and S = S 2 . Therefore, (S 2 ; put e x e' 2 ) = (S 1 ; put ei e 2 ). Further, since — Z and 
e 2 = {di}, (S 2 ; put ei e 2 ) = (5; put I {dx}). So we have only to show that (5; put Z {di}) « — > error, 
which is immediate by E-PutValErr, since all of the premises hold. 
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A.6.5 E-Get-1 



• E-Get-1: a = (S; get ei e 2 ), and <r a = (Si; get e[ e 2 ). 
Given: 

- (S; get e 1 e 2 ) < — > (Si; get e' x e 2 ), and 

- (S; get ei e 2 ) 5 — > er fc . 

To show: There exists a c such that 

- (Si; get e[ e 2 ) 5 — > cr c , and 

- cr t, < ► cr c . 

From the premise of E-Get-1, we have that (S; ei) 5 — ► (Si; e^). 

We proceed by subcases, on the last rule in the derivation of (S; get e\ e 2 ) c — ► cr b . By the operational 
semantics, there are six possibilities: E-Get-1/E-Refl, E-Get-1/E-Get-1, E-Get-1/E-Get-2, E-Get-1/E- 
GetVal, E-Get-1 /E-GetErr-1, and E-Get-1 /E-GetErr-2. 

- E-Get-1 /E-Refl: 

Analogous to the E-Refl/E-Get-1 case, with a a and Ob reversed. 

- E-Get-I/E-Get-1: 
Analogous to E-Put-I/E-Put-1. 

- E-Get-1/E-Get-2: 
Analogous to E-Put-I/E-Put-2. 

- E-Get-1/E-GetVal: 

In this case, we have the following facts: 

* (S; getei e 2 ) = (S; getlQ), 

* o h = (S; {di}), and 

* S(l) = d 2 A incomp(Q) AQCDAdiGQAdiC^ (from the premises of E-GetVal). 
We're required to show that there exists <r c such that 

* (Si; get e[ e 2 ) c — > cr c , and 

* (S; {di}) <T C . 

Choose ct c = (S 1 ; {di})- We have from E-REFL that (S; {di}) 5 — > (S 1 ; {di}}, so it remains to show that 
(Si;ge\e[e 2 )^(S;{di}). 

From the premise of E-Get-1, we have that (S; ei) c — ► (Si; e^). But ei = I, a value, so it must be the 
case that e x = e\ and S = Si. Therefore, (Si; get e[ e 2 ) = (S; get ei e 2 ). Further, since ei = Z and 
e2 = <3, (Si; get e[ e 2 ) = (S; get / Q). So we have only to show that (S; get I Q) 1 — ► (S; {di}), which 
is immediate by E-GetVal, since all of the premises hold. 

- E-Get-1/E-GetErr-1: 
Analogous to E-Put-1/E-PutErr-1. 

- E-Get-1/E-GetErr-2: 
Analogous to E-Put-1/E-PutErr-2. 
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A.6.6 E-Get-2 



• E-Get-2: a = (S; get e x e 2 ), and <r a = (Si; get ei e 2 ). 
Given: 

- (S 1 ; get e x e 2 ) 5 — > (S 2 ; get e x e' 2 ), and 

- (S; get ei e 2 ) 5 — > er fc . 

To show: There exists a c such that 

- (S 2 ; get e x e 2 ) < — > cr c , and 

- o-j, « — ► (T c . 

From the premise of E-Get-2, we have that (S; e 2 ) 5 — ► (5 2 ; e 2 ). 

We proceed by subcases, on the last rule in the derivation of (S; get e\ e 2 ) c — ► cr b . By the operational 
semantics, there are six possibilities: E-Get-2/E-Refl, E-Get-2/E-Get-1, E-Get-2/E-Get-2, E-Get-2/E- 
GetVal, E-Get-2/E-GetErr-1 and E-Get-2/E-GetErr-2. 

- E-Get-2/E-Refl: 

Analogous to the E-Refl/E-Get-2 case, with a a and reversed. 

- E-Get-2/E-Get-I: 
Analogous to E-Put-2/E-Put-I. 

- E-GET-2/E-GET-2: 
Analogous to E-PUT-2/E-PUT-2. 

- E-Get-2/E-GetVal: 

In this case, we have the following facts: 

* (S; getei e 2 ) = (S; getZQ), 

* a h = (S; {di}), and 

* S(l) = d 2 A incomp(Q) f\QQDf\di<EQf\di\-d 2 (from the premises of E-GetVal). 
We're required to show that there exists <r c such that 

* (S 2 ; get ei e 2 ) 1 — ► cr c , and 

* (5; {di}) <T C . 

Choose <j c = (S; {di}). We have from E-Refl that (S; {di}) 5 — > (S 1 ; {di}), so it remains to show that 
(5 2 ; gete ie ' 2 > (S; {di}). 

From the premise of E-Get-2, we have that (S; e 2 ) 1 — > (S 2 ; e 2 ). But e 2 = Q, a value, so it must be the 
case that e 2 = e 2 and S = S 2 . Therefore, (S 2 ; get ei e 2 ) = (S 1 ; get ei e 2 ). Further, since ei = Z and 
g 2 = Q, (S 2 ; get ei e 2 ) = (S; get / Q). So we have only to show that (S; get Z Q) 1 — > (S; {di}), which 
is immediate by E-GetVal, since all of the premises hold. 

- E-Get-2/E-GetErr-1: 
Analogous to E-Put-2/E-PutErr-1. 

- E-Get-2/E-GetErr-2: 
Analogous to E-Put-2/E-PutErr-2. 
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A.6.7 E-Convert 

• E-Convert: a = (S; convert e), and a a = (S 1 ; convert e'). 
Given: 

- (S; convert e) c — ► (S 1 ; convert e'), and 

- (S; convert e) c — ► 

To show: There exists a c such that 

- (S 1 ; convert e') < — ► cr c , and 

- &b ' — > f c . 

From the premise of E-CONVERT, we have that (S; e) c — > (S"; e'). 

We proceed by subcases, on the last rule in the derivation of (S; convert e) c — ► cr b . By the operational seman- 
tics, there are four possibilities: E-Convert/E-Refl, E-Convert/E-Convert, E-Convert/E-ConvertVal, 
and E-Convert/E-ConvertErr. 

- E-Convert/E-Refl: 

Analogous to the E-Refl/E-CONVERT case, with a a and a b reversed. 

- E-Convert/E-Convert: 

In this case, we have the following facts: 

* <jb — (Sb] convert e b ), and 

* (S; e) < — > (S b ; e b ) (from the premise of E-CONVERT). 

Since (S; e) < — > (S 1 ; e') and (5"; e) < — ► (S b ; e b ), we have by IH that there exists a' c such that (S 1 ; e') c — > 
a' c and (Sb] e b ) c — > a' c . Either a' c is error, or it is some non-error configuration (S' c ; e' c ). 
We're required to show that there exists <r c such that 

* (S 1 ; convert e') c — ► a c , and 

* (5(,; convert e b ) < — > a c . 

We consider the following possibilities, one of which must hold. 

1. a' c = error. 

Then, since (5"; e'} c — ► error, we have by E-ConvertErr that (S 1 ; convert e') 1 — ► error. Like- 
wise, since (Sb; e b ) < — ► error, we have by E-ConvertErr that (S b ; convert e b ) < — > error. There- 
fore cr c = error. 

2. a' c = e' c >. 

Then, since (S 1 ; e') c — ► (S£; e' c ), we have by E-Convert that (S 1 ; convert e') = — > (S' c ; converted). 
Likewise, since (Sb; e b ) c — > (S£; e' c ), wehavebyE-CONVERTthat (S^; convert e b ) = — ► (S£; converted). 
Therefore cr c = (S' c ; convert e' c ). 

- E-Convert/E-ConvertVal: 

In this case, we have the following facts: 

* (S; convert e) = (S; convert Q), and 

* o b = (S; S(Q))- 

We're required to show that there exists <r c such that 

* (S 1 ; convert e') c — ► cr c , and 

* (5; <5(Q)) a c . 
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Choose d c = (S; 5(Q)). We have from E-Refl that (S; S(Q)) < — ► (S; S(Q)), so it remains to show that 
(S'; convert e') « — ► (5; 5(Q)>. 

From the premise of E-CONVERT, we have that (5; e) 5 — ► (S"; e'). But e = Q, a value, so it must be the 
case that e = e' and S = 5". Therefore, (S"; convert e') = (S; convert Q). So we have only to show that 
(S; convert Q) < — > (5"; <S(Q)), which is immediate by E-ConvertVal. 

- E-Convert/E-ConvertErr: 

In this case, we have the following facts: 

* Ob — error, and 

* (S; e) < — > error (from the premise of E-ConvertErr). 
We're required to show that there exists <r c such that 

* (S'; convert e') c — ► a c , and 

* error = — > <r c . 

Choose <r c = error. We have immediately that error c — ► error by E-ReflErr, so it remains to show 
that (S 1 ; convert e!) 5 — ► error. 

Since (S; e) 5 — > error and (S; e) = — > (5"; e') (from the premise of E-CONVERT, above), we have by 
IH that there exists a' c such that error = — > and (5"; e') < — > cr^,. Since error can only step to error, 
a' c = error. 

Therefore, (S 1 ; e!) « — > error, so we have that (S"; convert e') 1 — ► error by E-ConvertErr, as we 
were required to show. 

A.6.8 E-Beta 

• E-Beta: a = (S; (Xx. e) v), and cr a = (S; e[x := v]}. 
Given: 

- {S; (Xx. e) v) 5 — ► (S; e[x := v]), and 

- (S; (Xx. e) v) 5 — > a},. 

To show: There exists a c such that 

- (S; e[x := v]) c — > a c , and 

- CTft « — ► (T c . 

We proceed by subcases, on the last rule in the derivation of (S; (Xx. e) v) ' — > (Jb- By the operational 
semantics, there are six possibilities: E-Beta/E-Refl, E-Beta/E-ParApp, E-Beta/E-Beta, E-Beta/E- 
AppErr-1, E-Beta/E-AppErr-2, and E-Beta/E-ParAppErr. 

- E-Beta/E-Refl: 

Analogous to the E-Refl/E-Beta case, with a a and Ob reversed. 

- E-Beta/E-ParApp: 

Analogous to the E-ParApp/E-Beta case, with a a and Ob reversed. 

- E-Beta/E-Beta: 

In this case, by the operational semantics, Ub = (S; e[x :— v]). Since a a = Ob = {S; e[x := v]), choose 
a c = (S; e[x := v]). By E-Refl, both <r a and <j b step to a c , as we were required to show. 

- E-Beta/E-AppErr-1: 

For this case to occur, we would need to have (S; (Xx. e)) < — > error (from the premise of E-AppErr-1. 
But (Aa;. e) is a value (and S ^ Tg), so (S; (Xx. e)) can only step to (S; (Xx. e)), not error. Therefore, 
this case cannot occur. 
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- E-Beta/E-AppErr-2: 

For this case to occur, we would need to have (S; v) c — ► error (from the premise of E-AppErr-2. But 
v is a value (and S ^ Ts), so (S; v) can only step to (S; v), not error. Therefore, this case cannot occur. 

- E-Beta/E-ParAppErr: 

For this case to occur, then by the premises of E-ParAppErr, we would need to have (S; (Xx. e)) step to 
some configuration (Si; e[) and to have (S; v) step to some configuration (52; e 2 ), where SiUgS^ = Ts. 
But (Xx. e) and v are values (and S ^ Ts), so (S; (Xx. e)) can only step to (S; (Xx. e)) and (S; v) can 
only step to (S; v). Therefore Si = S2 = S, so Si U5 S2 = S 7^ Ts, and so this case cannot occur. 

A.6.9 E-New 

• E-New: a = (S; new), and a a = (S[l i-> J.]; I). 
Given: 

- (S; new) < — ► (S[J h-> _L] ; Z), and 

- (5; new) 1 — ► er b . 

To show: There exists a c such that 

- (S[l 1 — > _L] ; Z) e — ► o- c , and 

- Ob c > (T c . 

We proceed by subcases, on the last rule in the derivation of (S; new) c — ► a^,. By the operational semantics, 
there are two possibilities: E-New/E-Refl and E-New/E-New. 

- E-New/E-Refl: 

Analogous to the E-Refl/E-New case, with a a and Of, reversed. 

- E-New/E-New: 

In this case, a b = (S[V h-> _L]; I'). 
To show: There exists a c such that 

* (S[l 1— > _L]; I) c — > a c , and 

* (S[f^l]; l')^a c . 

One of the following two possibilities must hold: 

* V = I. 

In this case, both (S[l <-> _L]; I) and (S[Z' i-> _L]; I') step to ^ _L] ; /) by E-Refl. Therefore 
a c =(S[l~±];l). 

* V + 1. 

In this case, dom(S[l i— > _L]) — dom(S) = {I}, and i' ^ dom(5[Z 1— * _L]) (since, by the side condition 
of E-New, I ^ dom(S), and since 2' 7^ Z. Therefore, by Definition[8] (S[l 1— ► _L] ; I) is a safe renaming 
of (S[l' 1— » -L]; /'). Stepping both configurations by E-Refl, we have that a c = (S[l 1— ► _L]; I) or a 
safe renaming thereof. Therefore the case holds up to safe renamings of <j c . 

A.6.10 E-PutVal 

• E-PutVal: a = (S; put I {di}), and a a = (S[l i-> d\ U da]; ID- 
Given: 

- (5; put i {di}) (5[Z ^ di U da]; {}), and 
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- (S; puU{di}) ^a b . 



To show: There exists a c such that 

- (S[l i > d\ I — I d 2 ]; {}> c — > o-c. and 

- c b 5 — ► (T c . 

We proceed by subcases, on the last rule in the derivation of (S; put / {di}) 1 — > cr b . By the operational 
semantics, there are seven possibilities: E-PutVal/E-Refl, E-PutVal/E-Put-1, E-PutVal/E-Put-2, E- 
PutVal/E-PutVal, E-PutVal/E-PutErr-1, E-PutVal/E-PutErr-2, and E-PutVal/E-PutValErr. 

- E-PutVal/E-Refl: 

Analogous to the E-Refl/E-PutVal case, with a a and crj, reversed. 

- E-PutVal/E-Put-1: 

Analogous to the E-Put-1/E-PutVal case, with a a and a b reversed. 

- E-PutVal/E-Put-2: 

Analogous to the E-Put-2/E-PutVal case, with a a and <r b reversed. 

- E-PutVal/E-PutVal: 

In this case, by the operational semantics, a b = (S[l i— » di U d 2 ]; {}). Since a a = a b = (S[l di U 
d 2 ]; {}), choose cr c = (S[l di U d 2 ]; {}). By E-Refl, both a a and <7b step to a c , as we were required 
to show. 

- E-PutVal/E-PutErr-1: 

For this case to occur, we would need to have (S; I) 5 — ► error (from the premise of E-PutErr-1. But I 
is a value (and S ^ T5), so (S; 1} can only step to (S; I), not error. Therefore, this case cannot occur. 

- E-PutVal/E-PutErr-2: 

For this case to occur, we would need to have {S; {di}) 5 — ► error (from the premise of E-PutErr-1. 
But {di} is a value (and S ^ T s ), so (S; {di}) can only step to (S; {d 2 }), not error. Therefore, this case 
cannot occur. 

- E-PutVal/E-PutValErr: 

For this case to occur, we would need to have di U d 2 = T (from the last premise of E-Put ValErr). But 
we have that di U d 2 ^ T from the last premise of E-PutVal. Therefore, this case cannot occur. 

A.6.11 E-GetVal 

• E-GetVal: a = (S; get I Q), and a a = (S; {di}). 
Given: 

- (S; QeXlQ) (S; {dj), and 

- (S; get I Q) <-^> a b . 

To show: There exists a c such that 

- (S; {di}) 5 — > cr c , and 

- cr 6 ' > cr c . 

We proceed by subcases, on the last rule in the derivation of (5; get Z Q) 5 — > crfc. By the operational semantics, 
there are six possibilities: E-GetVal/E-Refl, E-GetVal/E-Get-1, E-GetVal/E-Get-2, E-GetVal/E- 
GetVal, E-GetVal/E-GetErr-1, and E-GetVal/E-GetErr-2. 
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- E-GetVal/E-Refl: 

Analogous to the E-Refl/E-GetVal case, with a a and u b reversed. 

- E-GetVal/E-Get-1: 

Analogous to the E-Get-1/E-GetVal case, with <r a and a b reversed. 

- E-GetVal/E-Get-2: 

Analogous to the E-Get-2/E-GetVal case, with a a and a b reversed. 

- E-GetVal/E-GetVal: 

In this case, by the operational semantics, a b = (S; {di}). Since <r a = a b = (S; {rfi}), choose a c = 
(S; {di}). By E-Refl, both a a and a b step to a c , as we were required to show. 

- E-GetVal/E-GetErr-1: 

For this case to occur, we would need to have (S; I) c — ► error (from the premise of E-GetErr- 1 . But I 
is a value (and S ^ Tg), so (S; 1} can only step to (S; I), not error. Therefore, this case cannot occur. 

- E-GetVal/E-GetErr-2: 

For this case to occur, we would need to have (S; Q) c — ► error (from the premise of E-GetErr-2. But 
Q is a value (and S ^ Tg), so (S; Q) can only step to (S; Q), not error. Therefore, this case cannot occur. 

A.6.12 E-ConvertVal 

• E-ConvertVal: a = (S; convert Q), and a a = (S; S(Q)). 
Given: 

- (S; convert Q) < — ► (S; 6(Q)}, and 

- (S; convert Q) < — > <r b . 

To show: There exists a c such that 

- (S; (5(Q)) < — > a c , and 

- &b ' ► cr c . 

We proceed by subcases, on the last rule in the derivation of (S; convert Q) 5 — ► cr b . By the operational seman- 
tics, there are four possibilities: E-ConvertVal/E-Refl, E-ConvertVal/E-Convert, E-ConvertVal/E- 
ConvertVal, and E-ConvertVal/E-ConvertErr. 

- E-ConvertVal/E-Refl: 

Analogous to the E-Refl/E-ConvertVal case, with a a and a b reversed. 

- E-ConvertVal/E-Convert: 

Analogous to the E-CONVERT/E-CONVERTVal case, with a a and a b reversed. 

- E-ConvertVal/E-ConvertVal: 

In this case, by the operational semantics, a b = (S; S(Q)). Since a a = a b = (S; S(Q)), choose a c = 
(S; S(Q)). By E-Refl, both <j a and a b step to a c , as we were required to show. 

- E-ConvertVal/E-ConvertErr: 

For this case to occur, we would need to have (S; Q) c — ► error (from the premise of E-ConvertErr. 
But Q is a value (and S ^ T5), so (S; Q) can only step to (5; Q), not error. Therefore, this case cannot 
occur. 
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A.6.13 E-ReflErr 



• E-ReflErr: a = error, and a a = error. 

Given: 

- error < ► error, and 

- error < — ► a b . 

To show: There exists a c such that 

- error < — ► cr c , and 

- CT;, c ► (T c . 

For all subcases E-ReflErr/*, choose er c = error. 
To show: 

- error < — ► error, which is immediate from E-ReflErr, and 

- a b < — ► error, which follows from the fact that error < — > cr b , so since error can only step to error, 
(Tb = error. 

A.6.14 E-AppErr-1 

• E-AppErr-1: a = (S; e\ e 2 ), and cr a = error. 
Given: 

- (S; ei e 2 ) c — > error, and 

- (S; ei e 2 ) c — > cr fo . 

To show: There exists er c such that 

- error < — > cr c , and 

Choose <T C = error. We have immediately that error 5 — ► error by E-ReflErr, so it remains to show that 
a b c — > error. 

We proceed by subcases, on the last rule in the derivation of (5; e\ e 2 ) 5 — > a b . By the operational seman- 
tics, there are seven possibilities: E-AppErr-1/E-Refl, E-AppErr-1/E-ParApp, E-AppErr-1/E-Beta, 
E-AppErr-1/E-ReflErr, E-AppErr-1/E-AppErr-1, E-AppErr-1/E-AppErr-2, and E-AppErr-1/E- 
ParAppErr. 

- E-AppErr-1/E-Refl: 

Analogous to the E-Refl/E-AppErr-1 case, with a a and o b reversed. 

- E-AppErr-1/E-ParApp: 

Analogous to the E-ParApp/E-AppErr-1 case, with a a and a b reversed. 

- E-AppErr-1/E-Beta: 

Analogous to the E-Beta/E-AppErr-1 case, with cr a and a b reversed. 

- E-AppErr-1/E-ReflErr: 

Analogous to the E-ReflErr/E-AppErr-1 case, with a a and a b reversed. 
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- E-AppErr-1/E-AppErr-1: 

Choose <7 C = error. By E-AppErr-1, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

- E-AppErr-1/E-AppErr-2: 

Choose <7 C = error. By E-AppErr-2, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

- E-AppErr-1/E-ParAppErr: 

Choose <r c = error. By E-ParAppErr, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

A.6.15 E-AppErr-2 

• E-AppErr-2: a = (S; e\ e 2 ), and a a = error. 
Given: 

- (S; e x e 2 ) c — ► error, and 

- (S; ei e 2 ) c — ► ct 6 . 

To show: There exists cr c such that 

- error < — > cr c , and 

- a b 5 — > (T c . 

Choose er c = error. We have immediately that error 5 — > error by E-ReflErr, so it remains to show that 
a b c — > error. 

We proceed by subcases, on the last rule in the derivation of (S; e\ e 2 ) 5 — ► a b . By the operational seman- 
tics, there are seven possibilities: E-AppErr-2/E-Refl, E-AppErr-2/E-ParApp, E-AppErr-2/E-Beta, 
E-AppErr-2/E-ReflErr, E-AppErr-2/E-AppErr-1, E-AppErr-2/E-AppErr-2, and E-AppErr-2/E- 
ParAppErr. 

- E-AppErr-2/E-Refl: 

Analogous to the E-Refl/E-AppErr-2 case, with a a and a b reversed. 

- E-AppErr-2/E-ParApp: 

Analogous to the E-ParApp/E-AppErr-2 case, with <j a and <r b reversed. 

- E-AppErr-2/E-Beta: 

Analogous to the E-Beta/E-AppErr-2 case, with a a and a b reversed. 

- E-AppErr-2/E-ReflErr: 

Analogous to the E-ReflErr/E-AppErr-2 case, with a a and a b reversed. 

- E-AppErr-2/E-AppErr-1: 

Analogous to the E-AppErr-1/E-AppErr-2 case, with a a and a b reversed. 

- E-AppErr-2/E-AppErr-2: 

Choose g c = error. By E-AppErr-2, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

- E-AppErr-2/E-ParAppErr: 

Choose <r c = error. By E-ParAppErr, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 
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A.6.16 E-ParAppErr 



• E-ParAppErr: a = (S; e\ e 2 ), and a a = error. 
Given: 

- (S; ei e 2 ) c — ► error, and 

- (S; ei e 2 ) 1 — > ov 

To show: There exists er c such that 

- error < — > cr c , and 

- cr t, 5 ► (T c . 

Choose <T C = error. We have immediately that error < — > error by E-ReflErr, so it remains to show that 
a b = — ► error. 

We proceed by subcases, on the last rule in the derivation of (S; e\ e 2 ) c — ► crt,- By the operational seman- 
tics, there are seven possibilities: E-ParAppErr/E-Refl, E-ParAppErr/E-ParApp, E-ParAppErr/E- 
Beta, E-ParAppErr/E-ReflErr, E-ParAppErr/E-AppErr-1, E-ParAppErr/E-AppErr-2, and E- 
ParAppErr/E-ParAppErr. 

- E-ParAppErr/E-Refl: 

Analogous to the E-Refl/E-ParAppErr case, with a a and a b reversed. 

- E-ParAppErr/E-ParApp: 

Analogous to the E-ParApp/E-ParAppErr case, with a a and a b reversed. 

- E-ParAppErr/E-Beta: 

Analogous to the E-Beta/E-ParAppErr case, with a a and a h reversed. 

- E-ParAppErr/E-ReflErr: 

Analogous to the E-ReflErr/E-ParAppErr case, with a a and a h reversed. 

- E-ParAppErr/E-AppErr-1: 

Analogous to the E-AppErr-1/E-ParAppErr case, with a a and a b reversed. 

- E-ParAppErr/E-AppErr-2: 

Analogous to the E-AppErr-2/E-ParAppErr case, with a a and t7& reversed. 

- E-ParAppErr/E-ParAppErr: 

Choose a c = error. By E-ParAppErr, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

A.6.17 E-PutErr-1 

• E-PutErr-1: a = (S; put e\ e 2 ), and a a = error. 
Given: 

- (S; put e 1 e 2 ) 5 — > error, and 

- (S; put ei e 2 ) 5 — > a b . 

To show: There exists a c such that 

- error < — > cr c , and 

- &b ' * a c- 
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Choose a c = error. We have immediately that error < — ► error by E-ReflErr, so it remains to show that 
a b = — > error. 

We proceed by subcases, on the last rule in the derivation of (S; put ei e 2 ) 5 — ► ab- By the operational seman- 
tics, there are eight possibilities: E-PutErr-1/E-Refl, E-PutErr-1/E-Put-1, E-PutErr-1/E-Put-2, E- 
PutErr-1/E-PutVal, E-PutErr-1/E-ReflErr, E-PutErr-1/E-PutErr-1, E-PutErr-1/E-PutErr- 
2, and E-PutErr-1/E-PutValErr. 

- E-PutErr-1/E-Refl: 

Analogous to the E-Refl/E-PutErr-1 case, with a a and ab reversed. 

- E-PutErr-1/E-Put-1: 

Analogous to the E-Put-1/E-PutErr-1 case, with a a and a\> reversed. 

- E-PutErr-1/E-Put-2: 

Analogous to the E-Put-2/E-PutErr-1 case, with a a and ab reversed. 

- E-PutErr-1/E-PutVal: 

Analogous to the E-PutVal/E-PutErr-1 case, with a a and ab reversed. 

- E-PutErr-1/E-ReflErr: 

Analogous to the E-ReflErr/E-PutErr-1 case, with a a and ab reversed. 

- E-PutErr-1/E-PutErr-1: 

Choose a c = error. By E-PutErr-1, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

- E-PutErr-1/E-PutErr-2: 

Choose a c = error. By E-PutErr-2, ab = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

- E-PutErr-1/E-PutValErr: 

Choose a c = error. By E-PutValErr, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

A.6.18 E-PutErr-2 

• E-PutErr-2: a = (S; put e\ e 2 ), and a a = error. 
Given: 

- (S; put ei e 2 ) c — ► error, and 

- (S; putei e 2 ) c — > a b . 

To show: There exists a c such that 

- error < — > cr c , and 

- &b ' > cr c . 

Choose cr c = error. We have immediately that error 5 — > error by E-ReflErr, so it remains to show that 
a b 1 — ► error. 

We proceed by subcases, on the last rule in the derivation of (S; put e\ e 2 ) 5 — ► <T(,. By the operational seman- 
tics, there are eight possibilities: E-PutErr-2/E-Refl, E-PutErr-2/E-Put-1, E-PutErr-2/E-Put-2, E- 
PutErr-2/E-PutVal, E-PutErr-2/E-ReflErr, E-PutErr-2/E-PutErr-1, E-PutErr-2/E-PutErr- 
2, and E-PutErr-2/E-PutValErr. 
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- E-PutErr-2/E-Refl: 

Analogous to the E-Refl/E-PutErr-2 case, with a a and a b reversed. 

- E-PutErr-2/E-Put-1: 

Analogous to the E-Put-1/E-PutErr-2 case, with a a and a b reversed. 

- E-PutErr-2/E-Put-2: 

Analogous to the E-Put-2/E-PutErr-2 case, with cr a and a b reversed. 

- E-PutErr-2/E-PutVal: 

Analogous to the E-PutVal/E-PutErr-2 case, with a a and a b reversed. 

- E-PutErr-2/E-ReflErr: 

Analogous to the E-ReflErr/E-PutErr-2 case, with a a and a b reversed. 

- E-PutErr-2/E-PutErr-1: 

Analogous to the E-PutErr-1/E-PutErr-2 case, with a a and a b reversed. 

- E-PutErr-2/E-PutErr-2: 

Choose er c = error. By E-PutErr-2, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

- E-PutErr-2/E-PutValErr: 

Choose cr c = error. By E-PutValErr, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

A.6.19 E-GetErr-1 

• E-GetErr-1: a = (5"; put e 1 e 2 ), and a a = error. 
Given: 

- (S; put ei e 2 ) c — ► error, and 

- (S; put ei e 2 ) 5 — > crfc. 

To show: There exists <j c such that 

- error <■ — > cr c , and 

- £T b = > (T c . 

Choose <T C = error. We have immediately that error 5 — ► error by E-ReflErr, so it remains to show that 
a b c — > error. 

We proceed by subcases, on the last rule in the derivation of (S; put ei e 2 ) 5 — > Cfc. By the operational se- 
mantics, there are seven possibilities: E-GetErr-1/E-Refl, E-GetErr-1/E-Get-1, E-GetErr-1/E-Get- 
2, E-GetErr- 1 /E-GetVal, E-GetErr- 1 /E-ReflErr, E-GetErr- 1 /E-GetErr- 1 , and E-GetErr- 1 /E- 
GetErr-2. 

- E-GetErr-1/E-Refl: 

Analogous to the E-Refl/E-GetErr-1 case, with a a and a b reversed. 

- E-GetErr-1/E-Get-1: 

Analogous to the E-Get-1/E-GetErr-1 case, with <r a and a b reversed. 

- E-GetErr-1/E-Get-2: 

Analogous to the E-Get-2/E-GetErr-1 case, with a a and a b reversed. 

- E-GetErr-1/E-GetVal: 

Analogous to the E-GetVal/E-GetErr-1 case, with a a and a b reversed. 
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- E-GetErr-1/E-ReflErr: 

Analogous to the E-ReflErr/E-GetErr-1 case, with a a and a b reversed. 

- E-GetErr-1/E-GetErr-1: 

Choose a c = error. By E-GetErr-1, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

- E-GetErr-1/E-GetErr-2: 

Choose er c = error. By E-GetErr-2, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

A.6.20 E-GetErr-2 

• E-GetErr-2: a = (S; get e\ e 2 ), and a a = error. 
Given: 

- (S; get e\ e 2 ) c — ► error, and 

- (S; get e\ e 2 ) 5 — > o b . 

To show: There exists a c such that 

- error < — > cr c , and 

- cr 6 c > cr c . 

Choose <T C = error. We have immediately that error 5 — > error by E-ReflErr, so it remains to show that 
a b = — > error. 

We proceed by subcases, on the last rule in the derivation of (S; get ei e 2 ) 5 — > CTfc. By the operational se- 
mantics, there are seven possibilities: E-GetErr-2/E-Refl, E-GetErr-2/E-Get-1, E-GetErr-2/E-Get- 
2, E-GetErr-2/E-GetVal, E-GetErr-2/E-ReflErr, E-GetErr-2/E-GetErr-1, and E-GetErr-2/E- 
GetErr-2. 

- E-GetErr-2/E-Refl: 

Analogous to the E-Refl/E-GetErr-2 case, with a a and a b reversed. 

- E-GetErr-2/E-Get-1: 

Analogous to the E-Get-1/E-GetErr-2 case, with a a and a b reversed. 

- E-GetErr-2/E-Get-2: 

Analogous to the E-Get-2/E-GetErr-2 case, with <r a and a b reversed. 

- E-GetErr-2/E-GetVal: 

Analogous to the E-GetVal/E-GetErr-2 case, with a a and a b reversed. 

- E-GetErr-2/E-ReflErr: 

Analogous to the E-ReflErr/E-GetErr-2 case, with a a and a b reversed. 

- E-GetErr-2/E-GetErr-1: 

Analogous to the E-GetErr-1/E-GetErr-2 case, with a a and a b reversed. 

- E-GetErr-2/E-GetErr-2: 

Choose g c = error. By E-GetErr-2, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 
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A.6.21 E-ConvertErr 



• E-ConvertErr: a = (S; convert e), and a a = error. 
Given: 

- (S; convert e) c — ► error, and 

- (5; convert e) c — ► a b . 

To show: There exists a c such that 

- error < — ► cr c , and 

- crb 5 — > a c . 

Choose g c = error. We have immediately that error < — ► error by E-ReflErr, so it remains to show that 
a b < — ► error. 

We proceed by subcases, on the last rule in the derivation of (S; convert e) c — ► a b . By the operational seman- 
tics, there are five possibilities: E-ConvertErr/E-Refl, E-ConvertErr/E-Convert, E-ConvertErr/E- 
ConvertVal, E-ConvertErr/E-ReflErr, and E-ConvertErr/E-ConvertErr. 

- E-ConvertErr/E-Refl: 

Analogous to the E-Refl/E-CONVERTErr case, with a a and a b reversed. 

- E-ConvertErr/E-Convert: 

Analogous to the E-Convert/E-ConvertErr case, with a a and o b reversed. 

- E-ConvertErr/E-ConvertVal: 

Analogous to the E-CONVERTVal/E-CONVERTErr case, with a a and a b reversed. 

- E-ConvertErr/E-ReflErr: 

Analogous to the E-ReflErr/E-ConvertErr case, with a a and a b reversed. 

- E-ConvertErr/E-ConvertErr: 

Choose cr c = error. By E-ConvertErr, a b = error, so by E-ReflErr, both a a and a b step to error, 
as desired. 

A.6.22 E-PutValErr 

• E-PutValErr: a = (S; put e\ e 2 ), and a a = error. 
Given: 

- (S; put e\ e 2 ) 5 — ► error, and 

- (S; put ei e 2 > ' — > a b . 

To show: There exists a c such that 

- error < — > cr c , and 

- C b 5 ► (T c . 

Choose <T C = error. We have immediately that error 5 — > error by E-ReflErr, so it remains to show that 
a b < — ► error. 

We proceed by subcases, on the last rule in the derivation of (S; put e\ e 2 ) 5 — > crfc. By the operational seman- 
tics, there are eight possibilities: E-PutValErr/E-Refl, E-PutValErr/E-Put-1, E-PutValErr/E-Put- 
2, E-PutValErr/E-PutVal, E-PutValErr/E-ReflErr, E-PutValErr/E-PutValErr, E-PutValErr/E- 
PutErr-2, and E-PutValErr/E-PutValErr. 
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- E-PutValErr/E-Refl: 

Analogous to the E-Refl/E-PutValErr case, with a a and crj reversed. 

- E-PutValErr/E-Put-1: 

Analogous to the E-Put-1/E-PutValErr case, with a a and a b reversed. 

- E-PutValErr/E-Put-2: 

Analogous to the E-Put-2/E-PutValErr case, with a a and a b reversed. 

- E-PutValErr/E-PutVal: 

Analogous to the E-PutVal/E-PutValErr case, with a a and a b reversed. 

- E-PutValErr/E-ReflErr: 

Analogous to the E-ReflErr/E-PutValErr case, with a a and a b reversed. 

- E-PutValErr/E-PutErr-1: 

Analogous to the E-PutErr-1/E-PutValErr case, with a a and a b reversed. 

- E-PutValErr/E-PutErr-2: 

Analogous to the E-PutErr-2/E-PutValErr case, with a a and a b reversed. 

- E-PutValErr/E-PutValErr: 

Choose a c = error. By E-PutValErr, a b = error, so by E-ReflErr, both a a and a b step to error, as 
desired. 

□ 



A.7 Strong One-Sided Confluence 

Lemma 7 (Strong One-Sided Confluence). If a c — > a' and a c — > m a", where 1 < m, then there exist a c , i,j such 
that cr' c — > l a c and cr" c — > J cr c and i < m and j < 1. 

Proof. We proceed by induction on m. In the base case of m = 1, the result is immediate from Corollary [T] For the 
induction step, suppose a c — > m cr" c — > cr'" and suppose the lemma holds for m. From the induction hypothesis, we 
have that there exist cr' c , i',f such that cr' c — > % a' c and a" < — > 3 a' c and i' < m and j' < 1. We have two cases: 

• If j' — 0, then a" — a' c . We can then choose a c = a'" and i = i' + 1 and j = 0. 

• If j' — 1, then from a" < — > cr'" and cr" 5 — > J cr^. and Corollary [l] we have a" and i" and j" such that 
<t'" 5 — cr" and a' c 1 — > 3 cr" and i" < 1 and j" < 1. So we also have a' 1 — > l a' c 1 — > J cr". In summary, 
we pick cr c = cr" and i = i' + j" and j = z", which is sufficient because i = i' + j" < m + 1 and j = i" < 1. 

□ 

A.8 Strong Confluence 

Lemma 8 (Strong Confluence). If a 5 — >" cr' and a < — > m cr", where 1 < n and 1 < m, then there exist a c , i,j such 
that a' 1 — > l cr c and a" 5 — > J a c and i < m and j < n. 

Proof. We proceed by induction on n. In the base case of n = 1, the result is immediate from Lemma [7] For the 
induction step, suppose a 1 — >" a' 5 — > a'" and suppose the lemma holds for m. From the induction hypothesis, we 
have that there exist a' c , i' ,j' such that cr' 5 — >' a' c and cr" = — P <j' c and i' < m and j' < n. We have two cases: 

• If i' ~ 0, then a' = a' c . We can then choose cr c = cr'" and i = 0 and j = j' + 1. 

• If i' > 1, then from cr' 5 — > cr'" and cr' 1 — a' c and Lemma|7] we have cr" and i" and j" such that cr'" ( — > l cr" 
and cr^, 5 — > J cr" and i" < i' and j" < 1. So we also have cr" c — > J cr^, c — > J cr". In summary, we pick 
cr c = cr" and i — i" and j = j' + j", which is sufficient because i = i" < i' < m and j = j' + j" < n + 1. 

□ 
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